Category: Homeland Security

Source: US Department of Homeland Security

COLOMBIA, ESTADOS UNIDOS Y PANAMÁ
Cartagena de Indias, 26 de agosto de 2024

El Ministro de Relaciones Exteriores de la República de Colombia, Luis Gilberto Murillo, el Ministro de Relaciones Exteriores de la República de Panamá, Javier Martínez-Acha Vásquez y el Secretario de Seguridad Nacional de los Estados Unidos, Alejandro N. Mayorkas y sus delegaciones, reunidos en la ciudad de Cartagena de Indias, en el marco de la Tercera Reunión del Mecanismo Tripartito Sobre Migracion Irregular:

Afirmaron que el abordaje de la migración irregular parte del reconocimiento de responsabilidad compartida, y desde un enfoque multidimensional y de derechos humanos, resaltaron el alto valor que representan los principios y compromisos asumidos por los gobiernos de Panamá, Estados Unidos, y Colombia, en la Declaración de Los Ángeles sobre Migración y Protección y sus pilares, en colaboración con las organizaciones internacionales.

Los gobiernos de Panamá, Estados Unidos y Colombia tienen una larga historia de colaboración. En los últimos tres años, específicamente, esta colaboración ha tenido resultados notables que incluyen la regularización de 2.5 millones de migrantes venezolanos en Colombia, el establecimiento de las Oficinas de Movilidad Segura para otorgar el acceso a vías legales para los Estados Unidos y otros países para migrantes, el anuncio de Colombia de expandir la regularización para venezolanos que no se encuentran cubiertos bajo el Estatuto Temporal de Protección, esfuerzos conjuntos para abordar la trata de personas en la región del Darién.

Del mismo modo, Panamá ha aumentado la capacidad para el programa de repatriación para aquellos que carecen de base legal para permanecer en Panamá. Estos esfuerzos en la región, junto con los Estados Unidos, contribuyen a una gestión coordinada de la migración irregular.

Los tres gobiernos reconocen las amenazas que representan las organizaciones criminales transnacionales, que se lucran de la explotación de los migrantes. En tal sentido, reafirman su compromiso para identificar distintos mecanismos que permitan desmantelar estas redes y llevar a estos criminales ante la justicia. Así mismo, se comprometen a mejorar el intercambio de información.

Los tres países reconocen que los flujos migratorios irregulares que transitan por la frontera entre Colombia y Panamá son de alcance global e involucran poblaciones de más de 90 nacionalidades, algunos de los cuales entraron a la región por terceros países. En este sentido, las partes se comprometieron a incentivar el diálogo con terceros países en la región, para aumentar alternativas seguras, ordenadas y humanas que reduzcan la migración irregular.

Colombia y Panamá destacan la importancia de proteger los ecosistemas estratégicos y comunidades locales asentadas en su frontera común. En tal sentido, los Estados Unidos se comprometen con fortalecer la cooperación para el desarrollo de dichas comunidades.

Comprometidos con la necesidad de ampliar mecanismos de protección de las poblaciones migrantes bajo los principios interamericanos sobre los derechos humanos, los tres países expresan su voluntad de fortalecer las políticas migratorias que respaldan los esfuerzos de regularización e integración socioeconómica de los migrantes; promover y respetar las vías migratorias regulares; e impulsar acciones que protejan a los migrantes en condición de vulnerabilidad.

Coincidieron en la implementación de un plan de trabajo con acciones concretas y realistas que fortalezcan la presencia estatal de Colombia y Panamá en su frontera común. Así mismo, se comprometieron a mejorar los mecanismos de control y regulación, el intercambio de información y la verificación de identidad.

  Los tres países se comprometen a fortalecer la cooperación para desarticular las redes de trata y tráfico de migrantes, mejorar la asistencia humanitaria a las poblaciones migrantes y buscar mecanismos de protección para grupos vulnerables, contemplando opciones humanitarias tales como los mecanismos vigentes de tránsito entre países.

Lo anterior en el marco de los principios y normas internacionales de derechos humanos, de la responsabilidad compartida en la gestión migratoria en la región y hacia la búsqueda de una cooperación internacional que reconozca las brechas y necesidades en materia de desarrollo.

Los jefes de delegación instruyeron a sus autoridades competentes en materia migratoria a que realicen una reunión técnica, en el término máximo de noventa (90) días a partir de la adopción de la presente Declaración, para que elaboren y presenten un cronograma y plan de ejecución con actividades que construyan sobre el avance que han hecho los tres países con acciones concretas.

Jefe de la delegación de Colombia
Jefe de la Delegación de Estados  Unidos
Jefe de la Delegación de Panamá

 

Source: US Department of Homeland Security

COLOMBIA, UNITED STATES AND PANAMA
Cartagena de Indias, August 26th, 2024

The Colombian Minister of Foreign Affairs Luis Gilberto Murillo, the United States Secretary of Homeland Security Alejandro N. Mayorkas, and the Panamanian Minister of Foreign Affairs Javier Eduardo Martinez-Acha led the high-level delegation that met in Cartagena de Indias for their Third Trilateral Meeting on Irregular Migration:

Together, they affirmed that addressing irregular migration begins with the recognition of shared responsibility, with a multi-pronged approach and highlighted the great value of the principles and commitments made by the governments of Colombia, Panama and the United States, framed in the pillars of the Los Angeles Declaration on Migration and Protection, in partnership with key international organizations.

The governments of Panama, the United States, and Colombia have a long history of collaboration. Over the last three years specifically, that collaboration has yielded notable results, including the regularization of 2.5 million Venezuelan migrants in Colombia, the establishment of Safe Mobility Offices to provide access to lawful pathways to the United States and other countries for migrants, Colombia’s announcement to expand regularization to Venezuelans not covered under its temporary protected status, joint efforts to address human smuggling in the Darien region.

Along those lines, Panama has increased its capacity with regards to repatriating those without a legal basis to remain in Panama. These efforts in the region, and with U.S. support, all contribute to coordinated management of irregular migration management. 

The three governments recognize the threats posed by transnational criminal organizations that profit from the exploitation of migrants. Thus they reaffirm their commitment to identifying diverse mechanisms that serve to dismantle these networks and to bring these criminals to justice. Consistent with that, they commit to enhancing information sharing.

The three partner countries recognize that irregular migration flows along the Colombia-Panama border have global implications, involving more than 90 different nationalities some of which have entered the region through third countries. As such, the partners committed to incentivizing dialogue with others across the region to reduce irregular migration, by increasing safe, orderly and humane migration alternatives.

Colombia and Panama emphasized the importance of protecting strategic ecosystems and local communities along their shared border. Consistent with that, the United States is committed to strengthening cooperation on the development of those communities.

Committed to expanding protection mechanisms for migrant populations in each of their territories based on InterAmerican human rights principles, the three countries expressed their will to strengthening migration policies that support efforts for the socioeconomic regularization and integration of migrants, and to promoting and respecting lawful pathways, and advancing actions that protect migrants in vulnerable conditions.

The leaders agreed to implement a plan of action with concrete and realistic steps to strengthen Colombian and Panamanian state presence along their shared border. Along those lines, they committed to improving control and regulation mechanisms, to the sharing of information, and identity verification.

The three countries committed to strengthening their cooperation to disband human trafficking and migrant smuggling networks, improving humanitarian assistance to migrant populations, and to identifying mechanisms for protection for vulnerable groups, considering humanitarian options such as existing mechanisms for transit between countries.

That is consistent with international human rights principles and norms, stemming from a shared responsibility to manage migration in the region, and toward identifying international cooperation that addresses existing development gaps and needs.
The heads of delegation instructed their respective teams to hold a technical meeting no later than 90 days from the adoption of this joint statement and to develop and present an action plan and timeframe that through concrete actions builds on the progress the three countries have made.
 

Head of Delegation of Colombia
Head of Delegation of the United States
Head of Delegation of Panama

Source: US Department of Homeland Security

WASHINGTON — Today, the Department of Homeland Security announced final allocations of nearly $724 million in six Fiscal Year (FY) 2024 competitive preparedness grant programs. This includes $454.5 million in funding for the Nonprofit Security Grant Program, an increase of $149.5 million from FY 2023, which will provide critical funding for faith-based groups and others to prevent and protect themselves from the heightened threat environment we face today.

These allocations, together with the more than $1.25 billion in non-competitive grant funding announced earlier this year, total almost $1.98 billion in FY 2024 to help prepare our nation against threats and natural disasters. 

The grant programs provide funding to state, local, tribal and territorial governments, nonprofit agencies, and the private sector to build and sustain capabilities to prevent, protect against, respond to and recover from acts of terrorism and other disasters. The total amount for each grant program is set by Congress and the allocations are made by the Department through a competitive process. 

“The Department of Homeland Security is proud to work together with our federal, state, local, tribal, territorial and other partners to increase our nation’s resilience in a constantly evolving threat environment,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The funds announced today will provide communities across the country with vital resources necessary to strengthen their security and guard against terrorism and other threats. The impact of these grants will be measured in lives saved and tragedies averted.” 

Preparedness Grant Program Allocations for Fiscal Year 2024 

The following grants are competitive, with allocations announced today:  

Operation Stonegarden: provides $81 million to enhance cooperation and coordination among state, local, tribal, territorial, and federal law enforcement agencies to jointly enhance security along the United States land and water borders. 

Tribal Homeland Security Grant Program: provides $13.5 million to eligible Tribal Nations to implement preparedness initiatives to help strengthen the nation against risk associated with potential terrorist attacks and other hazards. 

Nonprofit Security Grant Program: provides $454.5 million to support target hardening and other physical security enhancements for nonprofit organizations that are at high risk of a terrorist attack. This year, $227.25 million is provided to nonprofits in Urban Area Security Initiative-designated areas, and $227.25 million is provided to nonprofits outside those designated urban areas located in any state or territory. 

Port Security Grant Program: provides $90 million to help protect critical port infrastructure from terrorism, enhance maritime domain awareness, improve port-wide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities. 

Transit Security Grant Program: provides $83.7 million to owners and operators of public transit systems to protect critical surface transportation and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure.

Intercity Bus Security Grant Program: provides $1.8 million to owners and operators of intercity bus systems to protect surface transportation infrastructure and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure. Eligible applicants receiving approval for funding requested only $1,214,968 of the $1.8 million made available this fiscal year. 

The following non-competitive grants were announced earlier this year to recipients based on a number of factors: 

State Homeland Security Program: provides $373.5 million to support the implementation of risk-driven, capabilities-based state homeland security strategies to address capability targets. Awards are based on statutory minimums and relative risk as determined by DHS/FEMA’s risk methodology. 

Urban Area Security Initiative: provides $553.5 million to enhance regional preparedness and capabilities in 31 high-threat, high-density areas. Awards are based on relative risk as determined by the Department’s risk methodology. 

Emergency Management Performance Grant: provides $319.55 million to assist state, local, tribal, and territorial emergency management agencies in obtaining the resources required to support the National Preparedness Goal’s associated mission areas and core capabilities to build a culture of preparedness. 

Intercity Passenger Rail: provides $9 million to Amtrak to protect critical surface transportation infrastructure and the traveling public from acts of terrorism and increase the resilience of the Amtrak rail system. Award made per congressional direction. 

Further information on preparedness grant programs is available at www.dhs.gov and www.fema.gov/grants.  

Source: US Department of Homeland Security

WASHINGTON – On Wednesday, extensive coordination and collaboration between the Department of Homeland Security, the Justice Department and domestic and international partners resulted in a major enforcement operation that dismantled a human smuggling network based in Guatemala. In June 2022, this network smuggled people into the United States on a journey that ended with the deaths of 53 migrants in a tractor-trailer in San Antonio, Texas. Twenty-one of the deceased migrants were Guatemalan. 

This case is part of Joint Task Force Alpha (JTFA), created by Secretary of Homeland Security Alejandro N. Mayorkas and Attorney General Merrick B. Garland in June 2021 to strengthen U.S. enforcement efforts against human smuggling emanating from Central America. 

On Aug. 21, Guatemalan law enforcement executed multiple search and arrest warrants across Guatemala, working together with United States law enforcement agents. At the request of the United States, Guatemalan authorities arrested Guatemalan national Rigoberto Ramon Miranda-Orozco, who has been indicted in the Western District of Texas in connection with the investigation. Six individuals arrested as part of the operation will be charged locally in Guatemala. 

Miranda-Orozco, 47, whose indictment was unsealed today, allegedly conspired with other smugglers to facilitate the travel of four migrants from Guatemala through Mexico, and ultimately, to the United States. He allegedly charged the migrants, or their families and friends, approximately $12,000 to $15,000 for the journey. The indictment alleges that three of these migrants perished in the tractor-trailer, and the fourth suffered serious bodily injury. Miranda-Orozco is charged with six counts related to migrant smuggling resulting in death or serious bodily injury. He faces maximum penalties of life in prison. 

“Smugglers prey on migrants and seek profits with complete disregard for human life, as we saw in this tragic incident that killed 53 people,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The men and women at Homeland Security Investigations (HSI) and U.S. Customs and Border Protection (CBP) work every day to disrupt these sophisticated smuggling networks, and we will continue to work alongside our federal and international partners to dismantle them at every level of operation.” 

“Over the past two years, the Justice Department has worked methodically to hold accountable those responsible for the horrific tragedy in San Antonio that killed 53 people who had been preyed on by human smugglers,” said Attorney General Garland. “With these arrests, the Justice Department and our partners in Guatemala have now arrested a total of 14 people for their alleged involvement in this tragedy. We are committed to continuing to work with our partners both in the United States and abroad to target the most prolific and dangerous human smuggling groups operating in Mexico, Guatemala, El Salvador, Honduras, Colombia, and Panama.” 

“In launching Joint Task Force Alpha three years ago, the Department of Justice directed every tool at our disposal to the dismantling of human smuggling networks across the continent. And after the tragic deaths of 53 migrants in June 2022, we pledged to hold accountable those responsible, no matter where they live or operate,” said Deputy Attorney General Lisa Monaco. “Today’s arrests in Guatemala are a continued fulfillment of that pledge. We will not rest in our efforts to disrupt the smuggling networks that capitalize on desperation and foster misery throughout the Western Hemisphere.” 

“As alleged in the indictment, Miranda-Orozco recruited some of the migrants who died in the back of a tractor-trailer near San Antonio, Texas, in June 2022, and worked with a network of smugglers to transport them from Guatemala through Mexico into the United States,” said Principal Deputy Assistant Attorney General Nicole Argentieri, head of the Justice Department’s Criminal Division. “This tragedy is a dire warning of the dangers that human smugglers cause by exposing migrants to life-threatening conditions for the smugglers’ financial gain. Dismantling human smuggling networks is a critical priority for the Criminal Division, and we will continue to work with our domestic and international law enforcement partners to investigate and prosecute these cases, no matter where the offenders may be found.” 

“This was a complex operation and a major success for the progression of this case — apprehending a key orchestrator of the horrendous smuggling operations in which families were charged thousands of dollars for trusted transport across the U.S. border from Guatemala and other countries,” said U.S. Attorney Jaime Esparza for the Western District of Texas. “This significant development in the case demonstrates the commitment of this office, the Department of Justice, and our partners at all necessary levels, to ensure all 53 migrants who died in the 2022 tractor-trailer tragedy get their justice.” 

“HSI is deeply immersed in the global fight against human smuggling that includes our international operations within Central and South America. These arrests reflect the disruption of Central American human smuggling organizations that recruit, organize and transport people,” said HSI Executive Associate Director Katrina W. Berger. “Combating this prolific, transnational crime is one of our top priorities. Our special agents and criminal analysts are actively engaged with law enforcement partners and task forces around the globe working to dismantle criminal networks that treat human life like a commodity. HSI will keep exhausting every resource available to bring human smugglers to justice.” 

“The men and women of CBP are unwavering in their commitment to combat and dismantle the human smuggling networks that ruthlessly exploit and endanger the lives of migrants — from the time of this tragic incident in San Antonio, to today’s important step in bringing those responsible to justice,” said Senior Official Performing the Duties of the Commissioner Troy A. Miller of the CBP. “Our collective work through Joint Task Force Alpha remains critical to our ongoing efforts at disrupting smuggling operations across the hemisphere and the world.” 

The human smuggling organization allegedly loaded 65 migrants into a tractor-trailer, which court documents allege lacked functioning air conditioning as it drove north on a Texas interstate. As temperatures rose, some of the migrants inside the trailer allegedly lost consciousness, while others clawed at the walls, trying to escape. By the time the tractor-trailer reached San Antonio, the indictment alleges, 48 migrants had already died. Another five migrants died after being transported to local hospitals. Six children and a pregnant woman were among the deceased. 

The U.S. Attorney’s Office for the Western District of Texas has previously charged seven other defendants for their alleged involvement in this smuggling event, including through indictments filed in 2022 and 2023. Four of these seven defendants have pleaded guilty. 

The indictment against Miranda-Orozco and the cooperation between U.S. and Guatemalan authorities were spearheaded by JTFA and the U.S. Attorney’s Office for the Western District of Texas. Given the rise in prolific and dangerous smuggling emanating from Central America with effects in the United States, JTFA’s goal is to disrupt and dismantle human smuggling and trafficking networks operating in El Salvador, Guatemala, Honduras, Mexico, Colombia, and Panama with a focus on networks that endanger, abuse or exploit migrants, present national security risks, or engage in other types of transnational organized crime. 

Since its creation, JTFA has successfully increased coordination and collaboration between the Department of Homeland Security, Justice Department, and other interagency law enforcement participants, and with foreign law enforcement partners, including El Salvador, Guatemala, Honduras, Mexico, Colombia, and Panama; targeted those organizations who have the most impact on the United States; and coordinated significant smuggling indictments and extradition efforts in U.S. Attorneys’ Offices across the country. JTFA is comprised of detailees from southwest border U.S. Attorneys’ Offices, including the Southern District of Texas, Western District of Texas, District of Arizona, and Southern District of California, and dedicated support for the program is also provided by numerous components of the Justice Department’s Criminal Division that are part of JTFA — led by the Human Rights and Special Prosecutions Section (HRSP), and supported by the Office of Prosecutorial Development, Assistance, and Training, Narcotic and Dangerous Drug Section, Money Laundering and Asset Recovery Section, Office of Enforcement Operations, Justice Department’s Office of International Affairs (OIA), and Violent Crime and Racketeering Section. JTFA is made possible by substantial law enforcement investment from Department of Homeland Security, FBI, Drug Enforcement Administration, and other partners. 

HSI San Antonio investigated the case, with valuable assistance from HSI Guatemala and the HSI Human Smuggling Unit in Washington, D.C. CBP’s National Targeting Center/Operation Sentinel; U.S. Border Patrol; Bureau of Alcohol, Tobacco, Firearms and Explosives; San Antonio Police Department; San Antonio Fire Department; Palestine Police Department, OIA, and OPDAT provided valuable assistance. The Justice Department thanks Guatemalan law enforcement, who were instrumental in furthering this investigation. 

HRSP Trial Attorney Alexandra Skinnion and Assistant U.S. Attorneys Jose Luis Acosta, Eric Fuchs, Sarah Spears, and Amanda Brown for the Western District of Texas are prosecuting the case, with assistance from HRSP Historian/Latin America Specialist Joanna Crandall. 

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law. 

 

Source: US Department of Homeland Security

Executive Summary

This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners: 

• United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
• United Kingdom (UK) National Cyber Security Centre (NCSC-UK).
• Canadian Centre for Cyber Security (CCCS).
• New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ).
• Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC).
• The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea).
• Singapore Cyber Security Agency (CSA).
• The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

Event logging supports the continued delivery of operations and improves the security and resilience of critical systems by enabling network visibility. This guidance makes recommendations that improve an organization’s resilience in the current cyber threat environment, with regard for resourcing constraints. The guidance is of moderate technical complexity and assumes a basic understanding of event logging.

An effective event logging solution aims to:

• Send alerts to the network defenders responsible for monitoring when cyber security events such as critical software configuration changes are made or new software solutions are deployed.
• Identify cyber security events that may indicate a cyber security incident, such as malicious actors employing living off the land (LOTL) techniques or lateral movement post-compromise.
• Support incident response by revealing the scope and extent of a compromise.
• Monitor account compliance with organizational policies.
• Reduce alert noise, saving on costs associated with storage and query time.
• Enable network defenders to make agile and informed decisions based on prioritization of alerts and analytics.
• Ensure logs and the logging platforms are useable and performant for analysts.

There are four key factors to consider when pursuing logging best practices:

1. Enterprise-approved event logging policy.
2. Centralized event log access and correlation.
3. Secure storage and event log integrity.
4. Detection strategy for relevant threats.

To access the PDF version of this report, visit here.

Introduction

The increased prevalence of malicious actors employing LOTL techniques, such as LOTL binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging solution. As demonstrated in the joint-sealed publication Identifying and Mitigating Living Off the Land Techniques, advanced persistent threats (APTs) are employing LOTL techniques to evade detection. The purpose of this publication is to detail best practice guidance for event logging and threat detection for cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks. The guidance in this publication focuses on general best practices for event logging and threat detection; however, LOTL techniques feature as they provide a great case study due to the high difficulty in detecting them.

Audience

This guidance is technical in nature and is intended for those within medium to large organizations. As such, it is primarily aimed at:

• Senior information technology (IT) and OT decision makers.
• IT and OT operators.
• Network administrators.
• Critical infrastructure providers.

Best Practices

Enterprise-approved Event Logging Policy

Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems and enforces a consistent method of logging across an organization’s environments. The logging policy should take into consideration any shared responsibilities between service providers and the organization. The policy should also include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection.

Event Log Quality

Organizations are encouraged to implement an event logging policy focused on capturing high-quality cyber security events to aid network defenders in correctly identifying cyber security incidents. In the context of cyber security incident response and threat detection, event log quality refers to the types of events collected rather than how well a log is formatted. Log quality can vary between organizations due to differences in network environments, the reason behind the need to log, differences in critical assets and the organization’s risk appetite. 

Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature.

Note: Capturing a large volume of well-formatted logs can be invaluable for incident responders in forensics analysis scenarios. However, organizations are encouraged to properly organize logged data into ‘hot’ data storage that is readily available and searchable, or ‘cold’ data storage that has deprioritized availability and is stored through more economical solutions – an important consideration when evaluating an organization’s log storage capacity.

For more information on how to prioritize collection of high-quality event logs please refer to CISA’s Guidance for Implementing M-21-3: Improving the Federal Government’s Investigative and Remediation Capabilities.[1] 

To strengthen detection of malicious actors employing LOTL techniques, some relevant considerations for event logging include:

• On Linux-based systems, logs capturing the use of curl, systemctl, systemd, python and other common LOLBins leveraged by malicious actors.
• On Microsoft Windows-based systems, logs capturing the use of wmic.exe, ntdsutil.exe, Netsh, cmd.exe, PowerShell, mshta.exe, rundll32.exe, resvr32.exe and other common LOLBins leveraged by malicious actors. Ensure that logging captures command execution, script block logging and module logging for PowerShell, and detailed tracking of administrative tasks.
• For cloud environments, logging all control plane operations, including API calls and end user logins. The control plane logs should be configured to capture read and write activities, administrative changes, and authentication events.

Captured Event Log Details

As a part of an organization’s event logging policy, captured event logs should contain sufficient detail to aid network defenders and incident responders. If a logging solution fails to capture data relevant to security, its effectiveness as a cyber security incident detection capability is heavily impacted.

The US Office of Management and Budget’s M-21-31[2] outlines a good baseline for what an event log should capture, if applicable:

• Properly formatted and accurate timestamp (millisecond granularity is ideal).
• Event type (status code).
• Device identifier (mac address or other unique identifier).
• Session/transaction ID.
• Autonomous system number.
• Source and destination IP (includes both IPv4 and IPv6).
• Status code.
• Response time.
• Additional headers (e.g., HTTP headers).
• The user ID, where appropriate.
• The command executed, where appropriate.
• A unique event identifier to assist with event correlation, where possible.

Note: Where possible, all data should be formatted as ‘key-value-pairs’ to allow for easier extraction.

Operational Technology Considerations

Network administrators and network operators should take into consideration the OT devices within their OT networks. Most OT devices use embedded software that is memory and/or processor constrained. An excessive level of logging could adversely affect the operation of those OT devices. Additionally, such OT devices may not be capable of generating detailed logs, in which case, sensors can be used to supplement logging capabilities. Out-of-band log communications, or generating logs based on error codes and the payloads of existing communications, can account for embedded devices with limited logging capabilities.

Additional Resources

Content and Format Consistency

When centralizing event logs, organizations should consider using a structured log format, such as JSON, where each type of log captures and presents content consistently (that is, consistent schema, format, and order). This is particularly important when event logs have been forwarded to a central storage facility as this improves a network defender’s ability to search for, filter and correlate event logs. Since logs may vary in structure (or lack thereof), implementing a method of automated log normalization is recommended. This is an important consideration for logs that can change over time or without notice such as software and software-as-a-service (SaaS) logs.

Timestamp Consistency

Organizations should consider establishing an accurate and trustworthy time source and use this consistently across all systems to assist network defenders in identifying connections between event logs. This should also include using the same date-time format across all systems. Where possible, organizations should use multiple accurate time sources in case the primary time source becomes degraded or unavailable. Note that, particularly in distributed systems, time zones and distance can influence how timestamps read in relation to each other. Network owners, system owners and cyber security incident responders are encouraged to understand how this could impact their own environments. ASD and co-authors urge organizations to consider implementing the recommendations below to help ensure consistent timestamp collection.

• Time servers should be synchronized and validated throughout all environments and set to capture significant events, such as device boots and reboots.
• Using Coordinated Universal Time (UTC) has the advantage of no time zones as well as no daylight savings, and is the preferred time standard.
  • Implement ISO 8601 formatting, with the year listed first, followed by the month, day, hour, minutes, seconds, and milliseconds (e.g., 2024-07-25T20:54:59.649Z).
• Timesharing should be unidirectional. The OT environment should synchronize time sync with the IT environment and not the other way around.
• Data historians may be implemented on some operational assets to record and store time-series data of industrial processes running on the computer system. These can provide an additional source of event log data for OT networks.

Additional Resources

• ASD has released Windows Event Logging and Forwarding guidance that details important event categories and recommendations for configurations, log retention periods and event forwarding.
• For more information about logging, please explore CISA’s Logging Made Easy (LME), a no-cost solution providing essential log management for small to medium-sized organizations, on CISA’s website or GitHub page.
• The Joint SIGINT Cyber Unit (JSCU) of the AIVD and MIVD has published a repository on GitHub with a Microsoft Windows event logging and collections baseline focused on finding balance between forensic value and optimizing retention. You can find this repository on the JSCU’s GitHub.

Event Log Retention

Organizations should ensure they retain logs for long enough to support cyber security incident investigations. Default log retention periods are often insufficient. Log retention periods should be informed by an assessment of the risks to a given system. When assessing the risks to a system, consider that in some cases, it can take up to 18 months to discover a cyber security incident and some malware can dwell on the network from 70 to 200 days before causing overt harm.[3] Log retention periods should also be compliant with any regulatory requirements and cyber security frameworks that may apply in an organization’s jurisdiction. Logs that are crucial in confirming an intrusion and its impact should be prioritized for longer retention. 

It is important to review log storage allocations, in parallel with retention periods. Insufficient storage is a common obstacle to log retention. For example, many systems will overwrite old logs when their storage allocation is exhausted. The longer that logs can be kept, the higher the chances are of determining the extent of a cyber security incident, including the potential intrusion vectors that require remediation. For effective security logging practices, organizations should implement data tiering such as hot and cold storage. This ensures that logs can be promptly retrieved to facilitate querying and threat detection.

Centralized Log Collection and Correlation

The following sections detail prioritized lists of log sources for enterprise networks, OT, cloud computing and enterprise mobility using mobile computing devices. The prioritization takes into consideration the likelihood that the logged asset will be targeted by a malicious actor, as well as the impact if the asset were to be compromised. It also prioritizes log sources that can assist in identifying LOTL techniques. Please note that this is not an exhaustive list of log sources and their threats, and their priority may differ between organizations.

Logging Priorities for Enterprise Networks

Enterprise networks face a large variety of cyber threats. These include malware, malicious insiders, and exploitation of unpatched applications and services. In the context of LOTL, enterprise networks provide malicious actors with a wide variety of native tools to exploit.

ASD and co-authors recommend that organizations prioritize the following log sources within their enterprise network:

1. Critical systems and data holdings likely to be targeted.
2. Internet-facing services, including remote access, network metadata, and their underlying server operating system.
3. Identity and domain management servers.
4. Any other critical servers.
5. Edge devices such as boundary routers and firewalls.
6. Administrative workstations.
7. Highly privileged systems such as configuration management, performance and availability monitoring (in cases where privileged access is used), Continuous Integration/Continuous Delivery (CI/CD), vulnerability scanning services, secret and privilege management.
8. Data repositories.
9. Security-related and critical software.
10. User computers.
11. User application logs.
12. Web proxies used by organizational users and service accounts.
13. DNS services used by organizational users.
14. Email servers.
15. DHCP servers.
16. Legacy IT assets (that are not previously captured in critical or internet-facing services).

ASD and co-authors recommend organizations monitor lower priority logs as well. These include:

• Underlying infrastructure, such as hypervisor hosts.
• IT devices, such as printers.
• Network components such as application gateways.

Logging Priorities for Operational Technology

Historically, IT and OT have operated separately and have provided distinct functions within organizations. Advancements in technology and digital transformation have led to the growing interconnectedness and convergence of these networks. Organizations are integrating IT and OT networks to enable the seamless flow of data between management systems and industrial operations. Their integration has introduced new cyber threats to OT networks. For example, malicious actors can access OT networks through IT networks by exploiting unpatched vulnerabilities, delivering malware, or conducting denial-of-service campaigns to impact critical services. 

ASD and co-authors recommend that organizations prioritize the following log sources in their OT environment:

1. OT devices critical to safety and service delivery, except for air-gapped systems.[4]
2. Internet-facing OT devices.
3. OT devices accessible via network boundaries.

Note that in cases where OT devices do not support logging, device logs are not available, or are available in a non-standard format, it is good practice to ensure network traffic and communications to and from the OT devices are logged.

Logging Priorities for Enterprise Mobility Using Mobile Computing Devices

Enterprise mobility is an important aspect of an organization’s security posture. Mobile device management (MDM) solutions allow organizations to manage the security of their enterprise mobility, typically including logging functionality. In the context of enterprise mobility, the aim of effective event logging is to detect compromised accounts or devices; for example, due to phishing or interactions with malicious applications and websites.

ASD and co-authors recommend organizations priorities the following log sources in their enterprise mobility solution:

1. Web proxies used by organizational users.
2. Organization operated DNS services.
3. Device security posture of organizationally managed devices.
4. Device behavior of organizationally managed devices.
5. User account behavior such as sign-ins.
6. VPN solutions.
7. MDM and Mobile Application Management (MAM) events.[5]

Additional monitoring should be implemented in collaboration with the telecommunications network provider. Such monitoring includes:

• Signaling exploitation.
• Binary/invisible SMS.
• CLI spoofing.
• SIM/eSIM activities such as SIM swapping.
• Null cipher downgrade.
• Connection downgrade (false base station).
• Network API/query against user.
• Roaming traffic protection.
• Roaming steering.

Organizations should obtain legal advice about what can be logged from any personally owned mobile devices that are enrolled in an MDM solution. For example, logging GPS location may be subject to restrictions.

Logging Priorities for Cloud Computing

ASD and co-authors recommend organizations adjust event logging practices in accordance with the cloud service that is administered, whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS are implemented.  For example, IaaS would include a significant amount of logging responsibility on the tenant, whereas SaaS would place a significant amount of the logging responsibility on the provider. Therefore, organizations should coordinate closely with their cloud service provider to understand the shared-responsibility model in place, as it will influence their logging priorities. Logging priorities will also be influenced by different cloud computing service models and deployment models (that is, public, private, hybrid, community). Where privacy and data sovereignty laws apply, logging priorities may also be influenced by the location of the cloud service provider’s infrastructure. See NSA’s Manage Cloud Logs for Effective Threat Hunting guidance for additional information.

Organizations should prioritize the following log sources in their use of cloud computing services:

1. Critical systems and data holdings likely to be targeted.
2. Internet-facing services (including remote access) and, where applicable, their underlying server operating systems.
3. Use of the tenant’s user accounts that access and administer cloud services.
4. Logs for administrative configuration changes.
5. Logs for the creation, deletion and modification of all security principals, including setting and changing permissions.
6. Authentication success and/or failures to third party services (e.g., SAML/OAuth).
7. Logs generated by the cloud services, including logs for cloud APIs, all network-related events, compliance events and billing events.

Secure Storage and Event Log Integrity

ASD and co-authors recommend that organizations implement a centralized event logging facility such as a secured data lake to enable log aggregation and then forward select, processed logs to analytic tools, such as security information and event management (SIEM) solution and extended detection and response (XDR) solutions. Many commercially available network infrastructure devices have limited local storage. Forwarding event logs to a centralized and secure storage capability prevents the loss of logs once the local device’s storage is exhausted [CPG 2.U]. This can be further mitigated by ensuring default maximum event log storage sizes are configured appropriately on local devices. In the event of a cyber security incident, an absence of historical event logs will frequently have a negative impact on cyber security incident response activities. 

Secure Transport and Storage of Event Logs

ASD and co-authors recommend that organizations implement secure mechanisms such as Transport Layer Security (TLS) 1.3 and methods of cryptographic verification to ensure the integrity of event logs in-transit and at rest. Organizations should prioritize securing and restricting access to event logs that have a justified requirement to record sensitive data.

Protecting Event Logs from Unauthorized Access, Modification and Deletion

It is important to perform event log aggregation as some malicious actors are known to modify or delete local system event logs to avoid detection and to delay or degrade the efficacy of cyber security incident response. Logs may contain sensitive data that is useful to a malicious actor. As a result, users should only have access to the event logs they need to do their job.

An event logging facility should enable the protection of logs from unauthorized modification and deletion. Ensure that only personnel with a justified requirement have permission to delete or modify event logs and view the audit logs for access to the centralized logging environment.  The storage of logs should be in a separate or segmented network with additional security controls to reduce the risk of logs being tampered with in the event of network or system compromise. Events logs should also be backed up and data redundancy practices should be implemented.

Organizations are encouraged to harden and segment their SIEM solutions from general IT environments. SIEMs are attractive targets for malicious actors because they contain a wealth of information, provide an analysis function, and can be a single point of failure in an organization’s detection capability.  Organizations should consider filtering event logs before sending them to a SIEM or XDR to ensure it is receiving the most valuable logs to minimize any additional costs or capacity issues.

Centralized Event Logging Enables Threat Detection

The aggregation of event logs to a central logging facility that a SIEM can draw from enables the identification of: 

• Deviations from a baseline.
  • A baseline should include installed tools and software, user account behavior, network traffic, system intercommunications and other items, as applicable. Particular attention should be paid to privileged user accounts and critical assets such as domain controllers.
  • A baseline is derived by performing an analysis of normal behavior of some user accounts and establishing ‘always abnormal’ conditions for those same accounts.
• Cyber security events.
  • For the purpose of this document, a cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.
• Cyber security incidents.
  • For the purpose of this document, a cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.

Timely Ingestion

Timely ingestion of event logs is important in the early detection of a cyber security events and cyber security incidents. If the generation, collection and ingestion of event logs is delayed, the organization’s ability to identify cyber security incidents is also delayed.

Detection Strategy for Relevant Threats

Detecting Living Off the Land Techniques

ASD and co-authors recommend that organizations consider implementing user and entity behavioral analytics capabilities to enable automated detection of behavioral anomalies on networks, devices, or accounts. SIEMs can detect anomalous activity by comparing event logs to a baseline of business-as-usual traffic and activity. Behavioral analytics plays a key role in detecting malicious actors employing LOTL techniques. Below is a case study that shows how threat actors leveraged LOTL to infiltrate Windows-based systems.

Case study – Volt Typhoon Since mid-2021, Volt Typhoon has targeted critical infrastructure organizations by relying almost exclusively on LOTL techniques. Their campaign has been enabled by privately-owned SOHO routers, infected with the ‘KV Botnet’ malware.  Volt Typhoon uses PowerShell, a command and scripting interpreter, to: Discover remote systems [T1059.001, T1018]. Identify associated user and computer account names using the command  Get-EventLog security –instanceid 4624 [T1033]. Enumerate event logs to search for successful logons using wevtutil.exe and the command Get-EventLog Security [T1654]. Volt Typhoon consistently obtains valid credentials by extracting the Active Directory database file NTDS.dit.[6]  To do so, Volt Typhoon has been observed to: Execute the Windows-native vsssadmin command to create a volume shadow copy [T1006]. Use Windows Management Instrumentation Console (WMIC) commands [T1047] to execute ntdsutil.exe to copy NTDS.dit and the SYSTEM registry from the volume shadow copy. Move laterally to the Microsoft Active Directory Domain Services (AD DS) domain controller via an interactive RDP session using a compromised user account with domain administrator privileges [T1021.001]. Other LOTL techniques that Volt Typhoon has been observed to use includes: Accessing hashed credentials from the Local Security Authority SubSystem Service (LSASS) process memory space [T1003.001]. Using ntdsutil.exe to create installation media from Microsoft AD DS domain controllers, either remote or locally, which contain username and password hashes [T1003.003]. Using PowerShell, WMIC, and the ping command, to facilitate system discovery [T1018]. Using the built-in netsh portproxy command to create proxies on compromised systems to facilitate access [T1090]. While Volt Typhoon uses LOTL techniques to make detection more difficult, the behaviors that the malware exhibits would be considered abnormal compared to business-as-usual activity and could be used to create detection use cases. For more information, consider visiting MITRE ATT&CK®’s Volt Typhoon page and the MITRE ATT&CK framework.

Source: US Department of Homeland Security

WASHINGTON, D.C. – Today, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released the following statement: 

“As each of us has indicated in prior public statements, Iran seeks to stoke discord and undermine confidence in our democratic institutions. Iran has furthermore demonstrated a longstanding interest in exploiting societal tensions through various means, including through the use of cyber operations to attempt to gain access to sensitive information related to U.S. elections. In addition to these sustained efforts to complicate the ability of any U.S. administration to pursue a foreign policy at odds with Iran’s interests, the IC has previously reported that Iran perceives this year’s elections to be particularly consequential in terms of the impact they could have on its national security interests, increasing Tehran’s inclination to try to shape the outcome. We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting Presidential campaigns. 

This includes the recently reported activities to compromise former President Trump’s campaign, which the IC attributes to Iran. The IC is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties. Such activity, including thefts and disclosures, are intended to influence the U.S. election process. It is important to note that this approach is not new.  Iran and Russia have employed these tactics not only in the United States during this and prior federal election cycles but also in other countries around the world.  

Protecting the integrity of our elections from foreign influence or interference is our priority.  As the lead for threat response, the FBI has been tracking this activity, has been in contact with the victims, and will continue to investigate and gather information in order to pursue and disrupt the threat actors responsible. We will not tolerate foreign efforts to influence or interfere with our elections, including the targeting of American political campaigns. As an interagency we are working closely with our public and private sector partners to share information, bolster security, and identify and disrupt any threats.  Just as this activity demonstrates the Iranians’ increased intent to exploit our online platforms in support of their objectives, it also demonstrates the need to increase the resilience of those platforms. Using strong passwords and only official email accounts for official business, updating software, avoiding clicking on links or opening attachments from suspicious emails before confirming their authenticity with the sender, and turning on multi-factor authentication will drastically improve online security and safety.

The FBI and CISA encourage campaigns and election infrastructure stakeholders to report information concerning suspicious or criminal activity to their local Election Crime Coordinators via FBI field office (), by calling 1-800-CALL-FBI (1-800-225-5324), or online at ic3.gov. Cyber incidents impacting election infrastructure can also be reported to CISA by calling 1-844-Say-CISA (1-844-729-2472), emailing report@cisa.dhs.gov, or reporting online at cisa.gov/report. Election infrastructure stakeholders and the public can find additional resources about how to protect against cyber and physical threats at CISA’s #PROTECT2024 (https://www.cisa.gov/protect2024).”

###

About CISA 

Source: US Department of Homeland Security

During emergency events, the Department of Homeland Security (DHS) works with its federal, state, local, and non-governmental partners to support the needs of the people in the areas that may be impacted.

In such circumstances, U.S. Immigration and Customs Enforcement (ICE) and U.S. Customs and Border Protection (CBP) remind the public that sites that provide emergency response and relief are considered protected areas. To the fullest extent possible, ICE and CBP do not conduct immigration enforcement activities at protected areas such as along evacuation routes, sites used for sheltering or the distribution of emergency supplies, food or water, or registration sites for disaster-related assistance or the reunification of families and loved ones.

At the request of FEMA or local and state authorities, ICE and CBP may help conduct search and rescue, air traffic de-confliction and public safety missions. ICE and CBP provide emergency assistance to individuals regardless of their immigration status. DHS officials do not and will not pose as individuals providing emergency-related information as part of any enforcement activities.

DHS is committed to ensuring that every individual who seeks shelter, aid, or other assistance as a result of a natural disaster or emergency event is able to do so regardless of their immigration status.

DHS carries out its mission without discrimination on the basis of race, religion, gender, sexual orientation or gender identity, ethnicity, disability or political associations, and in compliance with law and policy.

For information about filing a complaint with the DHS Office for Civil Rights and Civil Liberties about these matters, please visit our Make a Civil Rights Complaint page.

Source: US Department of Homeland Security

WASHINGTON – Today, as part of their public service announcement (PSA) series to put potential election day cyber related disruptions during the 2024 election cycle into context for the American people, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released Just So You Know: Ransomware Disruptions During Voting Periods Will Not Impact the Security and Resilience of Vote Casting or Counting. FBI and CISA are issuing this PSA to inform the public that while ransomware attacks against state or local government networks or election infrastructure could cause localized delays, they will not compromise the security or accuracy of vote casting or counting processes.

To date, any successful ransomware attack on election infrastructure tracked by the FBI and CISA has remained localized and successfully managed with minimal disruption to election operations and no impact on the security or accuracy of ballot casting or tabulation processes or systems. In prior U.S. and foreign elections, malicious actors have sought to spread or amplify false or exaggerated claims about cyber incidents in an attempt to manipulate public opinion, discredit the electoral process, or undermine confidence in U.S. democratic institutions. We could see foreign actors attempt to mislead American voters about the actual impact of a ransomware event on elections in this election cycle as part of their larger foreign malign influence campaigns.

It is important for the public to know that election officials use a multi-layer approach to security that employs a variety of technological, physical, and procedural controls to prevent cyber intrusions, like ransomware, from impacting the security and resilience of vote casting and counting systems.

“While ransomware continues to be a significant cybersecurity concern, it is important to note that security measures put in place by election officials and election vendors ensure these incidents will not impact the security of the vote casting or tabulation systems and processes,” said CISA Senior Advisor Cait Conley. “We will continue to work tirelessly with our election infrastructure partners to uphold the American people’s confidence in 2024 elections and our democratic process.”

“Combatting ransomware attacks is a top priority for the FBI, especially during elections,” said FBI Cyber Division Deputy Assistant Director Cynthia Kaiser. “While the FBI will continue to leverage its tools and partnerships to combat cyber criminals, the public should be aware that ransomware is extremely unlikely to affect the integrity of voting systems or the electoral process.”

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

GLYNCO – On August 15, the U.S. Department of Homeland Security (DHS) hosted an awards ceremony at the Federal Law Enforcement Training Center (FLETC) Headquarters in Glynco, Georgia, where 190 employees received a Secretary’s Award in recognition of their outstanding contributions to the Department’s mission.

“Every single day, with great determination, integrity, and skill, the 268,000 men and women of the Department of Homeland Security ensure the safety and security of the American people,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Thanks to these extraordinary public servants, our shores, harbors, skies, cyberspace, and borders are protected; fentanyl and other deadly drugs are prevented from entering our country; communities are able to recover and rebuild after a natural disaster; the scourges of human trafficking, forced labor, and online exploitation are mitigated; and so much more. The individuals we recognize today with our Department’s highest honor, the Secretary’s Award, reflect the very best of DHS – and in their selfless dedication to mission, the very best of public service.”

The DHS Secretary’s Awards are an annual program that recognizes the extraordinary individual and collective achievements of the workforce. The 190 awardees recognized in today’s ceremony represent FLETC, U.S. Citizenship and Immigration Services (USCIS), Transportation Security Administration (TSA), U.S. Coast Guard (USCG), Immigration and Customs Enforcement (ICE), Cybersecurity and Infrastructure Security Agency (CISA), U.S. Customs and Border Protection (CBP), Federal Emergency Management Agency (FEMA), Countering Weapons of Mass Destruction Office (CWMD) and the Management (MGMT) directorate.

“In recognizing these outstanding DHS personnel with a Secretary’s Award, we recognize all our talented personnel; the achievements of one are not possible without the contributions of others,” added Secretary Mayorkas. “We also express our appreciation to their families and loved ones; when one serves, the family serves too.”

This year’s award recipients developed and issued policy and procedures associated with a whole-scale transition to a new pay system for TSA; launched a series of coordinated and collaborative initiatives, operations and investigations targeting Transnational Criminal Organizations (TCOs) and national security threats operating and transiting through the Darien Gap region; arrested over 8,000 human smugglers, produced over 5,000 intelligence reports, and seized over $38M USD in real property; ensured over 2,300 vital alerts and warnings were provided to owners and operators of critical infrastructure to protect against cyberattacks; among many other achievements.

This year, DHS is holding nine Secretary’s Awards ceremonies across the country, honoring over 1,700 employees, the most annual awardees ever.

Last year, Secretary Mayorkas unveiled 12 priorities for the Department, including a commitment to champion the workforce and transform the employee experience. DHS has the third largest workforce of any federal department, behind the Department of Defense and Department of Veterans Affairs. The Department is home to more than 92,000 sworn law enforcement officers, the greatest number of law enforcement officers of any department in the federal government. DHS has committed to increasing the representation of women in law enforcement or related occupations at DHS to 30% by 2030. Over 54,000 veterans, or nearly 21% of the workforce, continue serving their country by working at DHS.

DHS operational components interact more frequently on a daily basis with the American public than any other federal department, from travelers moving through air, land, and sea ports of entry, to businesses importing goods into the country, to immigrants applying for services. To learn more about the impact DHS makes every day, visit: DHS.gov/TodayDHSWill.

Last year, DHS improved the efficiency of processing noncitizens at the Southwest Border, deployed across the country to respond to natural disasters, investigated cybercrimes, created a new streamlined process for adjudicating asylum applications, safely and securely resettled nearly 90,000 evacuated Afghans in the United States, provided resources for organizations to enhance their cybersecurity resilience, established a process for Ukrainian nationals seeking refuge, secured the 2022 midterm elections, and demonstrated heroism by acting quickly and courageously to save lives in harrowing circumstances.  

For the full list of awardees, visit  2024 Secretary’s Awards | Homeland Security (dhs.gov).

###

Source: US Department of Homeland Security

WASHINGTON – Today, the Department of Homeland Security (DHS) is sharing new resources for educators, school administrators, coaches, and others who work with kids and teens to better understand the risks of online child sexual exploitation and abuse (CSEA) and help them stay safe online. For the first time, Know2Protect, DHS’s national public awareness campaign to prevent online CSEA, is providing tips and classroom materials directly targeted for educators, with the goal of raising awareness of the importance of internet safety as part of everyone’s back-to-school routine. These Know2Protect resources are part of a new Back2School campaign that is connecting with dozens of teaching groups, educational associations, youth-serving organizations, and other partners who can reach kids in schools during the academic year.

“The dangerous and too-often tragic reality is that predators target children online,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Last year, there were more than 36 million reports of online child sexual exploitation worldwide. To combat this scourge, our Know2Protect campaign is equipping teachers, school administrators, and others – the trusted and well-positioned adults in whom children often confide – to help their students identify and prevent this crime. With a better understanding of online child sexual exploitation, tips for how to spot it when it occurs, and guidance on how to report incidents, we can protect our children online and save them from abuse and tragedy.”

“The Know2Protect Back2School resources are easy to understand, and they will help ensure that our Scouting parents and youth are better prepared to stay safe online,” explained Glen Pounder, Senior Vice President, and Chief Safeguarding Officer at Scouting America. “We are proud of our partnership with DHS and honored to be on the front line helping to protect children and youth online.”

“Empowering children with the knowledge to recognize and avoid the dangers of exploitation and abuse is critical in our mission to help make sure every child has a safe childhood,” said Derrick Driscoll, Chief Operating Officer of the National Center for Missing & Exploited Children. “Educational tools and resources, like DHS’s Know2Protect Back2School campaign, play a vital role in this effort. We are honored to partner with them, as together, we can make a real difference in protecting and educating our children.”

“Educators are often the first responders when it comes to dealing with the real-world impact of the horror of online child exploitation and abuse,” said American Federation of Teachers President Randi Weingarten. “They are dedicated to helping kids stay safe and to supporting them socially and emotionally when they encounter criminal activity. This back-to-school season, we are proud to be working with DHS to protect students and their families from this imminent and evolving threat.”

“Research shows the connection between students’ feelings of safety and security and the ability of their brains to learn,” said Elisa Villanueva Beard, Chief Executive Officer, Teach For America, and Chair, Homeland Security Academic Partnership Council (HSAPC). “DHS’s Know2Protect campaign and the resources they are providing are important steps to raise awareness of the prevalence of online threats against our country’s most precious resource, our children, and the need for all of us to be active in the effort to address these threats. Working together, we can ensure every child can learn, lead, and thrive without fear of being targeted online.”

“Keeping students safe online can sometimes feel like an overwhelming task for educators and parents alike,” said Suzanne Walsh, President of Bennett College. “Know2Protect’s Back2School campaign brings all relevant resources into one location. These resources are easy to access and use to help adults help students.”

One in five children receives an unwanted sexual solicitation online every year, according to statistics from the Department of Justice. Educating children and teens about these risks and what to do if they are targeted by online predators is key to preventing these heinous crimes. To reach more kids and teens during the busy back-to-school season, Know2Protect is supporting teachers, coaches, and school administrators who will spend more time with kids as the school year starts. kids as the school year starts.

To reach as many students as possible, Know2Protect is connecting with dozens of youth-serving and educational associations across the country to share our Back2School resources.  Know2Protect has developed several important educational, age-appropriate, downloadable #Back2School with Know2Protect resources to help keep kids safe online:

• Resources2Educate, including our short iGuardian Training Videos, Tips2Identify Exploitation and Abuse for Educators, and other tips for kids, teens, and parents to stay safe online.
• Resources2Send Home, such as the Know2Protect First Day of School Picture Sign, a Family Online Safety Agreement, and an Internet Safety Checklist to prompt families to think about online safety at home.
• Resources2Display in Your School, such as digital and printable posters and tipsheets to display in classrooms, hallways, and more.
• Activities for the Classroom, such as 10 Minutes2Protect activities using Tips2Protect for Teens, Crossword Puzzle, Word Search, All-out Bingo, Project iGuardian Coloring Pages, and Project iGuardian Avatars.

Educators and administrators can also book a free in-person or virtual training for their school, their after-school program, a teacher/staff lunch-and-learn, or a PTA meeting. These age-appropriate educational presentations are provided by special agents from Homeland Security Investigations (HSI) and the U.S. Secret Service. To date, Know2Protect has educated over 82,900 adults and children and completed over 1,000 events and presentations to spread awareness and prevention tactics about online CSEA. To request a presentation, please visit www.know2protect.gov/training. The campaign is committed to reaching more than 100,000 people through trainings by the end of this school year.

The Back2School resources build on Know2Protect’s ongoing efforts to reach children, parents, and trusted adults where they are through innovative partnerships with technology companies, national and international sports leagues, youth-serving organizations and nonprofits, and other private sector partners. Starting in August, Project iGuardian, Know2Protect’s in-person educational arm, is teaming up with the National Association of Police Athletic/Activities Leagues (PAL), which has over 300 chapters serving two million youth annually, to provide in-person training. Lamar Advertising is featuring public service announcements from Know2Protect on digital billboards across the country. NASCAR is featuring educational content for children on its NASCAR Kids homepage and disseminating tips for partners through its online newsletter. More partner activations are set to launch in the coming days and weeks.

Know2Protect is the first federal government campaign focused on the education and prevention of online CSEA. The campaign’s mission is to mobilize young people, parents, educators, and community leaders to learn the signs of this crime, what they can do to prevent it, how to report it to law enforcement, and how they can support survivors. Since its launch in April, DHS has established partners in government, education, sports, technology, youth-serving organizations, and several other industries to meet people where they are and deliver the campaign’s preventative tips to keep kids safe.

Early intervention is crucial. If exploitation happens, approach conversations with care and empathy and report immediately to the Know2Protect Tipline at 833-591-KNOW (5669) or visit the NCMEC CyberTipline at https://report.cybertip.org. All information received via the Tipline will be reviewed by appropriate personnel and referred to HSI field offices for potential investigation.