Category: NCTC Resources

Source: US Department of Homeland Security

WASHINGTON — Today, the Department of Homeland Security announced final allocations of nearly $724 million in six Fiscal Year (FY) 2024 competitive preparedness grant programs. This includes $454.5 million in funding for the Nonprofit Security Grant Program, an increase of $149.5 million from FY 2023, which will provide critical funding for faith-based groups and others to prevent and protect themselves from the heightened threat environment we face today.

These allocations, together with the more than $1.25 billion in non-competitive grant funding announced earlier this year, total almost $1.98 billion in FY 2024 to help prepare our nation against threats and natural disasters. 

The grant programs provide funding to state, local, tribal and territorial governments, nonprofit agencies, and the private sector to build and sustain capabilities to prevent, protect against, respond to and recover from acts of terrorism and other disasters. The total amount for each grant program is set by Congress and the allocations are made by the Department through a competitive process. 

“The Department of Homeland Security is proud to work together with our federal, state, local, tribal, territorial and other partners to increase our nation’s resilience in a constantly evolving threat environment,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The funds announced today will provide communities across the country with vital resources necessary to strengthen their security and guard against terrorism and other threats. The impact of these grants will be measured in lives saved and tragedies averted.” 

Preparedness Grant Program Allocations for Fiscal Year 2024 

The following grants are competitive, with allocations announced today:  

Operation Stonegarden: provides $81 million to enhance cooperation and coordination among state, local, tribal, territorial, and federal law enforcement agencies to jointly enhance security along the United States land and water borders. 

Tribal Homeland Security Grant Program: provides $13.5 million to eligible Tribal Nations to implement preparedness initiatives to help strengthen the nation against risk associated with potential terrorist attacks and other hazards. 

Nonprofit Security Grant Program: provides $454.5 million to support target hardening and other physical security enhancements for nonprofit organizations that are at high risk of a terrorist attack. This year, $227.25 million is provided to nonprofits in Urban Area Security Initiative-designated areas, and $227.25 million is provided to nonprofits outside those designated urban areas located in any state or territory. 

Port Security Grant Program: provides $90 million to help protect critical port infrastructure from terrorism, enhance maritime domain awareness, improve port-wide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities. 

Transit Security Grant Program: provides $83.7 million to owners and operators of public transit systems to protect critical surface transportation and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure.

Intercity Bus Security Grant Program: provides $1.8 million to owners and operators of intercity bus systems to protect surface transportation infrastructure and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure. Eligible applicants receiving approval for funding requested only $1,214,968 of the $1.8 million made available this fiscal year. 

The following non-competitive grants were announced earlier this year to recipients based on a number of factors: 

State Homeland Security Program: provides $373.5 million to support the implementation of risk-driven, capabilities-based state homeland security strategies to address capability targets. Awards are based on statutory minimums and relative risk as determined by DHS/FEMA’s risk methodology. 

Urban Area Security Initiative: provides $553.5 million to enhance regional preparedness and capabilities in 31 high-threat, high-density areas. Awards are based on relative risk as determined by the Department’s risk methodology. 

Emergency Management Performance Grant: provides $319.55 million to assist state, local, tribal, and territorial emergency management agencies in obtaining the resources required to support the National Preparedness Goal’s associated mission areas and core capabilities to build a culture of preparedness. 

Intercity Passenger Rail: provides $9 million to Amtrak to protect critical surface transportation infrastructure and the traveling public from acts of terrorism and increase the resilience of the Amtrak rail system. Award made per congressional direction. 

Further information on preparedness grant programs is available at www.dhs.gov and www.fema.gov/grants.  

Source: US Department of Homeland Security

WASHINGTON – On Wednesday, extensive coordination and collaboration between the Department of Homeland Security, the Justice Department and domestic and international partners resulted in a major enforcement operation that dismantled a human smuggling network based in Guatemala. In June 2022, this network smuggled people into the United States on a journey that ended with the deaths of 53 migrants in a tractor-trailer in San Antonio, Texas. Twenty-one of the deceased migrants were Guatemalan. 

This case is part of Joint Task Force Alpha (JTFA), created by Secretary of Homeland Security Alejandro N. Mayorkas and Attorney General Merrick B. Garland in June 2021 to strengthen U.S. enforcement efforts against human smuggling emanating from Central America. 

On Aug. 21, Guatemalan law enforcement executed multiple search and arrest warrants across Guatemala, working together with United States law enforcement agents. At the request of the United States, Guatemalan authorities arrested Guatemalan national Rigoberto Ramon Miranda-Orozco, who has been indicted in the Western District of Texas in connection with the investigation. Six individuals arrested as part of the operation will be charged locally in Guatemala. 

Miranda-Orozco, 47, whose indictment was unsealed today, allegedly conspired with other smugglers to facilitate the travel of four migrants from Guatemala through Mexico, and ultimately, to the United States. He allegedly charged the migrants, or their families and friends, approximately $12,000 to $15,000 for the journey. The indictment alleges that three of these migrants perished in the tractor-trailer, and the fourth suffered serious bodily injury. Miranda-Orozco is charged with six counts related to migrant smuggling resulting in death or serious bodily injury. He faces maximum penalties of life in prison. 

“Smugglers prey on migrants and seek profits with complete disregard for human life, as we saw in this tragic incident that killed 53 people,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The men and women at Homeland Security Investigations (HSI) and U.S. Customs and Border Protection (CBP) work every day to disrupt these sophisticated smuggling networks, and we will continue to work alongside our federal and international partners to dismantle them at every level of operation.” 

“Over the past two years, the Justice Department has worked methodically to hold accountable those responsible for the horrific tragedy in San Antonio that killed 53 people who had been preyed on by human smugglers,” said Attorney General Garland. “With these arrests, the Justice Department and our partners in Guatemala have now arrested a total of 14 people for their alleged involvement in this tragedy. We are committed to continuing to work with our partners both in the United States and abroad to target the most prolific and dangerous human smuggling groups operating in Mexico, Guatemala, El Salvador, Honduras, Colombia, and Panama.” 

“In launching Joint Task Force Alpha three years ago, the Department of Justice directed every tool at our disposal to the dismantling of human smuggling networks across the continent. And after the tragic deaths of 53 migrants in June 2022, we pledged to hold accountable those responsible, no matter where they live or operate,” said Deputy Attorney General Lisa Monaco. “Today’s arrests in Guatemala are a continued fulfillment of that pledge. We will not rest in our efforts to disrupt the smuggling networks that capitalize on desperation and foster misery throughout the Western Hemisphere.” 

“As alleged in the indictment, Miranda-Orozco recruited some of the migrants who died in the back of a tractor-trailer near San Antonio, Texas, in June 2022, and worked with a network of smugglers to transport them from Guatemala through Mexico into the United States,” said Principal Deputy Assistant Attorney General Nicole Argentieri, head of the Justice Department’s Criminal Division. “This tragedy is a dire warning of the dangers that human smugglers cause by exposing migrants to life-threatening conditions for the smugglers’ financial gain. Dismantling human smuggling networks is a critical priority for the Criminal Division, and we will continue to work with our domestic and international law enforcement partners to investigate and prosecute these cases, no matter where the offenders may be found.” 

“This was a complex operation and a major success for the progression of this case — apprehending a key orchestrator of the horrendous smuggling operations in which families were charged thousands of dollars for trusted transport across the U.S. border from Guatemala and other countries,” said U.S. Attorney Jaime Esparza for the Western District of Texas. “This significant development in the case demonstrates the commitment of this office, the Department of Justice, and our partners at all necessary levels, to ensure all 53 migrants who died in the 2022 tractor-trailer tragedy get their justice.” 

“HSI is deeply immersed in the global fight against human smuggling that includes our international operations within Central and South America. These arrests reflect the disruption of Central American human smuggling organizations that recruit, organize and transport people,” said HSI Executive Associate Director Katrina W. Berger. “Combating this prolific, transnational crime is one of our top priorities. Our special agents and criminal analysts are actively engaged with law enforcement partners and task forces around the globe working to dismantle criminal networks that treat human life like a commodity. HSI will keep exhausting every resource available to bring human smugglers to justice.” 

“The men and women of CBP are unwavering in their commitment to combat and dismantle the human smuggling networks that ruthlessly exploit and endanger the lives of migrants — from the time of this tragic incident in San Antonio, to today’s important step in bringing those responsible to justice,” said Senior Official Performing the Duties of the Commissioner Troy A. Miller of the CBP. “Our collective work through Joint Task Force Alpha remains critical to our ongoing efforts at disrupting smuggling operations across the hemisphere and the world.” 

The human smuggling organization allegedly loaded 65 migrants into a tractor-trailer, which court documents allege lacked functioning air conditioning as it drove north on a Texas interstate. As temperatures rose, some of the migrants inside the trailer allegedly lost consciousness, while others clawed at the walls, trying to escape. By the time the tractor-trailer reached San Antonio, the indictment alleges, 48 migrants had already died. Another five migrants died after being transported to local hospitals. Six children and a pregnant woman were among the deceased. 

The U.S. Attorney’s Office for the Western District of Texas has previously charged seven other defendants for their alleged involvement in this smuggling event, including through indictments filed in 2022 and 2023. Four of these seven defendants have pleaded guilty. 

The indictment against Miranda-Orozco and the cooperation between U.S. and Guatemalan authorities were spearheaded by JTFA and the U.S. Attorney’s Office for the Western District of Texas. Given the rise in prolific and dangerous smuggling emanating from Central America with effects in the United States, JTFA’s goal is to disrupt and dismantle human smuggling and trafficking networks operating in El Salvador, Guatemala, Honduras, Mexico, Colombia, and Panama with a focus on networks that endanger, abuse or exploit migrants, present national security risks, or engage in other types of transnational organized crime. 

Since its creation, JTFA has successfully increased coordination and collaboration between the Department of Homeland Security, Justice Department, and other interagency law enforcement participants, and with foreign law enforcement partners, including El Salvador, Guatemala, Honduras, Mexico, Colombia, and Panama; targeted those organizations who have the most impact on the United States; and coordinated significant smuggling indictments and extradition efforts in U.S. Attorneys’ Offices across the country. JTFA is comprised of detailees from southwest border U.S. Attorneys’ Offices, including the Southern District of Texas, Western District of Texas, District of Arizona, and Southern District of California, and dedicated support for the program is also provided by numerous components of the Justice Department’s Criminal Division that are part of JTFA — led by the Human Rights and Special Prosecutions Section (HRSP), and supported by the Office of Prosecutorial Development, Assistance, and Training, Narcotic and Dangerous Drug Section, Money Laundering and Asset Recovery Section, Office of Enforcement Operations, Justice Department’s Office of International Affairs (OIA), and Violent Crime and Racketeering Section. JTFA is made possible by substantial law enforcement investment from Department of Homeland Security, FBI, Drug Enforcement Administration, and other partners. 

HSI San Antonio investigated the case, with valuable assistance from HSI Guatemala and the HSI Human Smuggling Unit in Washington, D.C. CBP’s National Targeting Center/Operation Sentinel; U.S. Border Patrol; Bureau of Alcohol, Tobacco, Firearms and Explosives; San Antonio Police Department; San Antonio Fire Department; Palestine Police Department, OIA, and OPDAT provided valuable assistance. The Justice Department thanks Guatemalan law enforcement, who were instrumental in furthering this investigation. 

HRSP Trial Attorney Alexandra Skinnion and Assistant U.S. Attorneys Jose Luis Acosta, Eric Fuchs, Sarah Spears, and Amanda Brown for the Western District of Texas are prosecuting the case, with assistance from HRSP Historian/Latin America Specialist Joanna Crandall. 

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law. 

 

Source: US Department of Homeland Security

Executive Summary

This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners: 

• United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
• United Kingdom (UK) National Cyber Security Centre (NCSC-UK).
• Canadian Centre for Cyber Security (CCCS).
• New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ).
• Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC).
• The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea).
• Singapore Cyber Security Agency (CSA).
• The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

Event logging supports the continued delivery of operations and improves the security and resilience of critical systems by enabling network visibility. This guidance makes recommendations that improve an organization’s resilience in the current cyber threat environment, with regard for resourcing constraints. The guidance is of moderate technical complexity and assumes a basic understanding of event logging.

An effective event logging solution aims to:

• Send alerts to the network defenders responsible for monitoring when cyber security events such as critical software configuration changes are made or new software solutions are deployed.
• Identify cyber security events that may indicate a cyber security incident, such as malicious actors employing living off the land (LOTL) techniques or lateral movement post-compromise.
• Support incident response by revealing the scope and extent of a compromise.
• Monitor account compliance with organizational policies.
• Reduce alert noise, saving on costs associated with storage and query time.
• Enable network defenders to make agile and informed decisions based on prioritization of alerts and analytics.
• Ensure logs and the logging platforms are useable and performant for analysts.

There are four key factors to consider when pursuing logging best practices:

1. Enterprise-approved event logging policy.
2. Centralized event log access and correlation.
3. Secure storage and event log integrity.
4. Detection strategy for relevant threats.

To access the PDF version of this report, visit here.

Introduction

The increased prevalence of malicious actors employing LOTL techniques, such as LOTL binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging solution. As demonstrated in the joint-sealed publication Identifying and Mitigating Living Off the Land Techniques, advanced persistent threats (APTs) are employing LOTL techniques to evade detection. The purpose of this publication is to detail best practice guidance for event logging and threat detection for cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks. The guidance in this publication focuses on general best practices for event logging and threat detection; however, LOTL techniques feature as they provide a great case study due to the high difficulty in detecting them.

Audience

This guidance is technical in nature and is intended for those within medium to large organizations. As such, it is primarily aimed at:

• Senior information technology (IT) and OT decision makers.
• IT and OT operators.
• Network administrators.
• Critical infrastructure providers.

Best Practices

Enterprise-approved Event Logging Policy

Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems and enforces a consistent method of logging across an organization’s environments. The logging policy should take into consideration any shared responsibilities between service providers and the organization. The policy should also include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection.

Event Log Quality

Organizations are encouraged to implement an event logging policy focused on capturing high-quality cyber security events to aid network defenders in correctly identifying cyber security incidents. In the context of cyber security incident response and threat detection, event log quality refers to the types of events collected rather than how well a log is formatted. Log quality can vary between organizations due to differences in network environments, the reason behind the need to log, differences in critical assets and the organization’s risk appetite. 

Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature.

Note: Capturing a large volume of well-formatted logs can be invaluable for incident responders in forensics analysis scenarios. However, organizations are encouraged to properly organize logged data into ‘hot’ data storage that is readily available and searchable, or ‘cold’ data storage that has deprioritized availability and is stored through more economical solutions – an important consideration when evaluating an organization’s log storage capacity.

For more information on how to prioritize collection of high-quality event logs please refer to CISA’s Guidance for Implementing M-21-3: Improving the Federal Government’s Investigative and Remediation Capabilities.[1] 

To strengthen detection of malicious actors employing LOTL techniques, some relevant considerations for event logging include:

• On Linux-based systems, logs capturing the use of curl, systemctl, systemd, python and other common LOLBins leveraged by malicious actors.
• On Microsoft Windows-based systems, logs capturing the use of wmic.exe, ntdsutil.exe, Netsh, cmd.exe, PowerShell, mshta.exe, rundll32.exe, resvr32.exe and other common LOLBins leveraged by malicious actors. Ensure that logging captures command execution, script block logging and module logging for PowerShell, and detailed tracking of administrative tasks.
• For cloud environments, logging all control plane operations, including API calls and end user logins. The control plane logs should be configured to capture read and write activities, administrative changes, and authentication events.

Captured Event Log Details

As a part of an organization’s event logging policy, captured event logs should contain sufficient detail to aid network defenders and incident responders. If a logging solution fails to capture data relevant to security, its effectiveness as a cyber security incident detection capability is heavily impacted.

The US Office of Management and Budget’s M-21-31[2] outlines a good baseline for what an event log should capture, if applicable:

• Properly formatted and accurate timestamp (millisecond granularity is ideal).
• Event type (status code).
• Device identifier (mac address or other unique identifier).
• Session/transaction ID.
• Autonomous system number.
• Source and destination IP (includes both IPv4 and IPv6).
• Status code.
• Response time.
• Additional headers (e.g., HTTP headers).
• The user ID, where appropriate.
• The command executed, where appropriate.
• A unique event identifier to assist with event correlation, where possible.

Note: Where possible, all data should be formatted as ‘key-value-pairs’ to allow for easier extraction.

Operational Technology Considerations

Network administrators and network operators should take into consideration the OT devices within their OT networks. Most OT devices use embedded software that is memory and/or processor constrained. An excessive level of logging could adversely affect the operation of those OT devices. Additionally, such OT devices may not be capable of generating detailed logs, in which case, sensors can be used to supplement logging capabilities. Out-of-band log communications, or generating logs based on error codes and the payloads of existing communications, can account for embedded devices with limited logging capabilities.

Additional Resources

Content and Format Consistency

When centralizing event logs, organizations should consider using a structured log format, such as JSON, where each type of log captures and presents content consistently (that is, consistent schema, format, and order). This is particularly important when event logs have been forwarded to a central storage facility as this improves a network defender’s ability to search for, filter and correlate event logs. Since logs may vary in structure (or lack thereof), implementing a method of automated log normalization is recommended. This is an important consideration for logs that can change over time or without notice such as software and software-as-a-service (SaaS) logs.

Timestamp Consistency

Organizations should consider establishing an accurate and trustworthy time source and use this consistently across all systems to assist network defenders in identifying connections between event logs. This should also include using the same date-time format across all systems. Where possible, organizations should use multiple accurate time sources in case the primary time source becomes degraded or unavailable. Note that, particularly in distributed systems, time zones and distance can influence how timestamps read in relation to each other. Network owners, system owners and cyber security incident responders are encouraged to understand how this could impact their own environments. ASD and co-authors urge organizations to consider implementing the recommendations below to help ensure consistent timestamp collection.

• Time servers should be synchronized and validated throughout all environments and set to capture significant events, such as device boots and reboots.
• Using Coordinated Universal Time (UTC) has the advantage of no time zones as well as no daylight savings, and is the preferred time standard.
  • Implement ISO 8601 formatting, with the year listed first, followed by the month, day, hour, minutes, seconds, and milliseconds (e.g., 2024-07-25T20:54:59.649Z).
• Timesharing should be unidirectional. The OT environment should synchronize time sync with the IT environment and not the other way around.
• Data historians may be implemented on some operational assets to record and store time-series data of industrial processes running on the computer system. These can provide an additional source of event log data for OT networks.

Additional Resources

• ASD has released Windows Event Logging and Forwarding guidance that details important event categories and recommendations for configurations, log retention periods and event forwarding.
• For more information about logging, please explore CISA’s Logging Made Easy (LME), a no-cost solution providing essential log management for small to medium-sized organizations, on CISA’s website or GitHub page.
• The Joint SIGINT Cyber Unit (JSCU) of the AIVD and MIVD has published a repository on GitHub with a Microsoft Windows event logging and collections baseline focused on finding balance between forensic value and optimizing retention. You can find this repository on the JSCU’s GitHub.

Event Log Retention

Organizations should ensure they retain logs for long enough to support cyber security incident investigations. Default log retention periods are often insufficient. Log retention periods should be informed by an assessment of the risks to a given system. When assessing the risks to a system, consider that in some cases, it can take up to 18 months to discover a cyber security incident and some malware can dwell on the network from 70 to 200 days before causing overt harm.[3] Log retention periods should also be compliant with any regulatory requirements and cyber security frameworks that may apply in an organization’s jurisdiction. Logs that are crucial in confirming an intrusion and its impact should be prioritized for longer retention. 

It is important to review log storage allocations, in parallel with retention periods. Insufficient storage is a common obstacle to log retention. For example, many systems will overwrite old logs when their storage allocation is exhausted. The longer that logs can be kept, the higher the chances are of determining the extent of a cyber security incident, including the potential intrusion vectors that require remediation. For effective security logging practices, organizations should implement data tiering such as hot and cold storage. This ensures that logs can be promptly retrieved to facilitate querying and threat detection.

Centralized Log Collection and Correlation

The following sections detail prioritized lists of log sources for enterprise networks, OT, cloud computing and enterprise mobility using mobile computing devices. The prioritization takes into consideration the likelihood that the logged asset will be targeted by a malicious actor, as well as the impact if the asset were to be compromised. It also prioritizes log sources that can assist in identifying LOTL techniques. Please note that this is not an exhaustive list of log sources and their threats, and their priority may differ between organizations.

Logging Priorities for Enterprise Networks

Enterprise networks face a large variety of cyber threats. These include malware, malicious insiders, and exploitation of unpatched applications and services. In the context of LOTL, enterprise networks provide malicious actors with a wide variety of native tools to exploit.

ASD and co-authors recommend that organizations prioritize the following log sources within their enterprise network:

1. Critical systems and data holdings likely to be targeted.
2. Internet-facing services, including remote access, network metadata, and their underlying server operating system.
3. Identity and domain management servers.
4. Any other critical servers.
5. Edge devices such as boundary routers and firewalls.
6. Administrative workstations.
7. Highly privileged systems such as configuration management, performance and availability monitoring (in cases where privileged access is used), Continuous Integration/Continuous Delivery (CI/CD), vulnerability scanning services, secret and privilege management.
8. Data repositories.
9. Security-related and critical software.
10. User computers.
11. User application logs.
12. Web proxies used by organizational users and service accounts.
13. DNS services used by organizational users.
14. Email servers.
15. DHCP servers.
16. Legacy IT assets (that are not previously captured in critical or internet-facing services).

ASD and co-authors recommend organizations monitor lower priority logs as well. These include:

• Underlying infrastructure, such as hypervisor hosts.
• IT devices, such as printers.
• Network components such as application gateways.

Logging Priorities for Operational Technology

Historically, IT and OT have operated separately and have provided distinct functions within organizations. Advancements in technology and digital transformation have led to the growing interconnectedness and convergence of these networks. Organizations are integrating IT and OT networks to enable the seamless flow of data between management systems and industrial operations. Their integration has introduced new cyber threats to OT networks. For example, malicious actors can access OT networks through IT networks by exploiting unpatched vulnerabilities, delivering malware, or conducting denial-of-service campaigns to impact critical services. 

ASD and co-authors recommend that organizations prioritize the following log sources in their OT environment:

1. OT devices critical to safety and service delivery, except for air-gapped systems.[4]
2. Internet-facing OT devices.
3. OT devices accessible via network boundaries.

Note that in cases where OT devices do not support logging, device logs are not available, or are available in a non-standard format, it is good practice to ensure network traffic and communications to and from the OT devices are logged.

Logging Priorities for Enterprise Mobility Using Mobile Computing Devices

Enterprise mobility is an important aspect of an organization’s security posture. Mobile device management (MDM) solutions allow organizations to manage the security of their enterprise mobility, typically including logging functionality. In the context of enterprise mobility, the aim of effective event logging is to detect compromised accounts or devices; for example, due to phishing or interactions with malicious applications and websites.

ASD and co-authors recommend organizations priorities the following log sources in their enterprise mobility solution:

1. Web proxies used by organizational users.
2. Organization operated DNS services.
3. Device security posture of organizationally managed devices.
4. Device behavior of organizationally managed devices.
5. User account behavior such as sign-ins.
6. VPN solutions.
7. MDM and Mobile Application Management (MAM) events.[5]

Additional monitoring should be implemented in collaboration with the telecommunications network provider. Such monitoring includes:

• Signaling exploitation.
• Binary/invisible SMS.
• CLI spoofing.
• SIM/eSIM activities such as SIM swapping.
• Null cipher downgrade.
• Connection downgrade (false base station).
• Network API/query against user.
• Roaming traffic protection.
• Roaming steering.

Organizations should obtain legal advice about what can be logged from any personally owned mobile devices that are enrolled in an MDM solution. For example, logging GPS location may be subject to restrictions.

Logging Priorities for Cloud Computing

ASD and co-authors recommend organizations adjust event logging practices in accordance with the cloud service that is administered, whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS are implemented.  For example, IaaS would include a significant amount of logging responsibility on the tenant, whereas SaaS would place a significant amount of the logging responsibility on the provider. Therefore, organizations should coordinate closely with their cloud service provider to understand the shared-responsibility model in place, as it will influence their logging priorities. Logging priorities will also be influenced by different cloud computing service models and deployment models (that is, public, private, hybrid, community). Where privacy and data sovereignty laws apply, logging priorities may also be influenced by the location of the cloud service provider’s infrastructure. See NSA’s Manage Cloud Logs for Effective Threat Hunting guidance for additional information.

Organizations should prioritize the following log sources in their use of cloud computing services:

1. Critical systems and data holdings likely to be targeted.
2. Internet-facing services (including remote access) and, where applicable, their underlying server operating systems.
3. Use of the tenant’s user accounts that access and administer cloud services.
4. Logs for administrative configuration changes.
5. Logs for the creation, deletion and modification of all security principals, including setting and changing permissions.
6. Authentication success and/or failures to third party services (e.g., SAML/OAuth).
7. Logs generated by the cloud services, including logs for cloud APIs, all network-related events, compliance events and billing events.

Secure Storage and Event Log Integrity

ASD and co-authors recommend that organizations implement a centralized event logging facility such as a secured data lake to enable log aggregation and then forward select, processed logs to analytic tools, such as security information and event management (SIEM) solution and extended detection and response (XDR) solutions. Many commercially available network infrastructure devices have limited local storage. Forwarding event logs to a centralized and secure storage capability prevents the loss of logs once the local device’s storage is exhausted [CPG 2.U]. This can be further mitigated by ensuring default maximum event log storage sizes are configured appropriately on local devices. In the event of a cyber security incident, an absence of historical event logs will frequently have a negative impact on cyber security incident response activities. 

Secure Transport and Storage of Event Logs

ASD and co-authors recommend that organizations implement secure mechanisms such as Transport Layer Security (TLS) 1.3 and methods of cryptographic verification to ensure the integrity of event logs in-transit and at rest. Organizations should prioritize securing and restricting access to event logs that have a justified requirement to record sensitive data.

Protecting Event Logs from Unauthorized Access, Modification and Deletion

It is important to perform event log aggregation as some malicious actors are known to modify or delete local system event logs to avoid detection and to delay or degrade the efficacy of cyber security incident response. Logs may contain sensitive data that is useful to a malicious actor. As a result, users should only have access to the event logs they need to do their job.

An event logging facility should enable the protection of logs from unauthorized modification and deletion. Ensure that only personnel with a justified requirement have permission to delete or modify event logs and view the audit logs for access to the centralized logging environment.  The storage of logs should be in a separate or segmented network with additional security controls to reduce the risk of logs being tampered with in the event of network or system compromise. Events logs should also be backed up and data redundancy practices should be implemented.

Organizations are encouraged to harden and segment their SIEM solutions from general IT environments. SIEMs are attractive targets for malicious actors because they contain a wealth of information, provide an analysis function, and can be a single point of failure in an organization’s detection capability.  Organizations should consider filtering event logs before sending them to a SIEM or XDR to ensure it is receiving the most valuable logs to minimize any additional costs or capacity issues.

Centralized Event Logging Enables Threat Detection

The aggregation of event logs to a central logging facility that a SIEM can draw from enables the identification of: 

• Deviations from a baseline.
  • A baseline should include installed tools and software, user account behavior, network traffic, system intercommunications and other items, as applicable. Particular attention should be paid to privileged user accounts and critical assets such as domain controllers.
  • A baseline is derived by performing an analysis of normal behavior of some user accounts and establishing ‘always abnormal’ conditions for those same accounts.
• Cyber security events.
  • For the purpose of this document, a cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.
• Cyber security incidents.
  • For the purpose of this document, a cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.

Timely Ingestion

Timely ingestion of event logs is important in the early detection of a cyber security events and cyber security incidents. If the generation, collection and ingestion of event logs is delayed, the organization’s ability to identify cyber security incidents is also delayed.

Detection Strategy for Relevant Threats

Detecting Living Off the Land Techniques

ASD and co-authors recommend that organizations consider implementing user and entity behavioral analytics capabilities to enable automated detection of behavioral anomalies on networks, devices, or accounts. SIEMs can detect anomalous activity by comparing event logs to a baseline of business-as-usual traffic and activity. Behavioral analytics plays a key role in detecting malicious actors employing LOTL techniques. Below is a case study that shows how threat actors leveraged LOTL to infiltrate Windows-based systems.

Case study – Volt Typhoon Since mid-2021, Volt Typhoon has targeted critical infrastructure organizations by relying almost exclusively on LOTL techniques. Their campaign has been enabled by privately-owned SOHO routers, infected with the ‘KV Botnet’ malware.  Volt Typhoon uses PowerShell, a command and scripting interpreter, to: Discover remote systems [T1059.001, T1018]. Identify associated user and computer account names using the command  Get-EventLog security –instanceid 4624 [T1033]. Enumerate event logs to search for successful logons using wevtutil.exe and the command Get-EventLog Security [T1654]. Volt Typhoon consistently obtains valid credentials by extracting the Active Directory database file NTDS.dit.[6]  To do so, Volt Typhoon has been observed to: Execute the Windows-native vsssadmin command to create a volume shadow copy [T1006]. Use Windows Management Instrumentation Console (WMIC) commands [T1047] to execute ntdsutil.exe to copy NTDS.dit and the SYSTEM registry from the volume shadow copy. Move laterally to the Microsoft Active Directory Domain Services (AD DS) domain controller via an interactive RDP session using a compromised user account with domain administrator privileges [T1021.001]. Other LOTL techniques that Volt Typhoon has been observed to use includes: Accessing hashed credentials from the Local Security Authority SubSystem Service (LSASS) process memory space [T1003.001]. Using ntdsutil.exe to create installation media from Microsoft AD DS domain controllers, either remote or locally, which contain username and password hashes [T1003.003]. Using PowerShell, WMIC, and the ping command, to facilitate system discovery [T1018]. Using the built-in netsh portproxy command to create proxies on compromised systems to facilitate access [T1090]. While Volt Typhoon uses LOTL techniques to make detection more difficult, the behaviors that the malware exhibits would be considered abnormal compared to business-as-usual activity and could be used to create detection use cases. For more information, consider visiting MITRE ATT&CK®’s Volt Typhoon page and the MITRE ATT&CK framework.

Source: US Department of Homeland Security

WASHINGTON, D.C. – Today, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released the following statement: 

“As each of us has indicated in prior public statements, Iran seeks to stoke discord and undermine confidence in our democratic institutions. Iran has furthermore demonstrated a longstanding interest in exploiting societal tensions through various means, including through the use of cyber operations to attempt to gain access to sensitive information related to U.S. elections. In addition to these sustained efforts to complicate the ability of any U.S. administration to pursue a foreign policy at odds with Iran’s interests, the IC has previously reported that Iran perceives this year’s elections to be particularly consequential in terms of the impact they could have on its national security interests, increasing Tehran’s inclination to try to shape the outcome. We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting Presidential campaigns. 

This includes the recently reported activities to compromise former President Trump’s campaign, which the IC attributes to Iran. The IC is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties. Such activity, including thefts and disclosures, are intended to influence the U.S. election process. It is important to note that this approach is not new.  Iran and Russia have employed these tactics not only in the United States during this and prior federal election cycles but also in other countries around the world.  

Protecting the integrity of our elections from foreign influence or interference is our priority.  As the lead for threat response, the FBI has been tracking this activity, has been in contact with the victims, and will continue to investigate and gather information in order to pursue and disrupt the threat actors responsible. We will not tolerate foreign efforts to influence or interfere with our elections, including the targeting of American political campaigns. As an interagency we are working closely with our public and private sector partners to share information, bolster security, and identify and disrupt any threats.  Just as this activity demonstrates the Iranians’ increased intent to exploit our online platforms in support of their objectives, it also demonstrates the need to increase the resilience of those platforms. Using strong passwords and only official email accounts for official business, updating software, avoiding clicking on links or opening attachments from suspicious emails before confirming their authenticity with the sender, and turning on multi-factor authentication will drastically improve online security and safety.

The FBI and CISA encourage campaigns and election infrastructure stakeholders to report information concerning suspicious or criminal activity to their local Election Crime Coordinators via FBI field office (), by calling 1-800-CALL-FBI (1-800-225-5324), or online at ic3.gov. Cyber incidents impacting election infrastructure can also be reported to CISA by calling 1-844-Say-CISA (1-844-729-2472), emailing report@cisa.dhs.gov, or reporting online at cisa.gov/report. Election infrastructure stakeholders and the public can find additional resources about how to protect against cyber and physical threats at CISA’s #PROTECT2024 (https://www.cisa.gov/protect2024).”

###

About CISA 

Source: US Department of Homeland Security

During emergency events, the Department of Homeland Security (DHS) works with its federal, state, local, and non-governmental partners to support the needs of the people in the areas that may be impacted.

In such circumstances, U.S. Immigration and Customs Enforcement (ICE) and U.S. Customs and Border Protection (CBP) remind the public that sites that provide emergency response and relief are considered protected areas. To the fullest extent possible, ICE and CBP do not conduct immigration enforcement activities at protected areas such as along evacuation routes, sites used for sheltering or the distribution of emergency supplies, food or water, or registration sites for disaster-related assistance or the reunification of families and loved ones.

At the request of FEMA or local and state authorities, ICE and CBP may help conduct search and rescue, air traffic de-confliction and public safety missions. ICE and CBP provide emergency assistance to individuals regardless of their immigration status. DHS officials do not and will not pose as individuals providing emergency-related information as part of any enforcement activities.

DHS is committed to ensuring that every individual who seeks shelter, aid, or other assistance as a result of a natural disaster or emergency event is able to do so regardless of their immigration status.

DHS carries out its mission without discrimination on the basis of race, religion, gender, sexual orientation or gender identity, ethnicity, disability or political associations, and in compliance with law and policy.

For information about filing a complaint with the DHS Office for Civil Rights and Civil Liberties about these matters, please visit our Make a Civil Rights Complaint page.

Source: US Department of Homeland Security

WASHINGTON – Today, as part of their public service announcement (PSA) series to put potential election day cyber related disruptions during the 2024 election cycle into context for the American people, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released Just So You Know: Ransomware Disruptions During Voting Periods Will Not Impact the Security and Resilience of Vote Casting or Counting. FBI and CISA are issuing this PSA to inform the public that while ransomware attacks against state or local government networks or election infrastructure could cause localized delays, they will not compromise the security or accuracy of vote casting or counting processes.

To date, any successful ransomware attack on election infrastructure tracked by the FBI and CISA has remained localized and successfully managed with minimal disruption to election operations and no impact on the security or accuracy of ballot casting or tabulation processes or systems. In prior U.S. and foreign elections, malicious actors have sought to spread or amplify false or exaggerated claims about cyber incidents in an attempt to manipulate public opinion, discredit the electoral process, or undermine confidence in U.S. democratic institutions. We could see foreign actors attempt to mislead American voters about the actual impact of a ransomware event on elections in this election cycle as part of their larger foreign malign influence campaigns.

It is important for the public to know that election officials use a multi-layer approach to security that employs a variety of technological, physical, and procedural controls to prevent cyber intrusions, like ransomware, from impacting the security and resilience of vote casting and counting systems.

“While ransomware continues to be a significant cybersecurity concern, it is important to note that security measures put in place by election officials and election vendors ensure these incidents will not impact the security of the vote casting or tabulation systems and processes,” said CISA Senior Advisor Cait Conley. “We will continue to work tirelessly with our election infrastructure partners to uphold the American people’s confidence in 2024 elections and our democratic process.”

“Combatting ransomware attacks is a top priority for the FBI, especially during elections,” said FBI Cyber Division Deputy Assistant Director Cynthia Kaiser. “While the FBI will continue to leverage its tools and partnerships to combat cyber criminals, the public should be aware that ransomware is extremely unlikely to affect the integrity of voting systems or the electoral process.”

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

GLYNCO – On August 15, the U.S. Department of Homeland Security (DHS) hosted an awards ceremony at the Federal Law Enforcement Training Center (FLETC) Headquarters in Glynco, Georgia, where 190 employees received a Secretary’s Award in recognition of their outstanding contributions to the Department’s mission.

“Every single day, with great determination, integrity, and skill, the 268,000 men and women of the Department of Homeland Security ensure the safety and security of the American people,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Thanks to these extraordinary public servants, our shores, harbors, skies, cyberspace, and borders are protected; fentanyl and other deadly drugs are prevented from entering our country; communities are able to recover and rebuild after a natural disaster; the scourges of human trafficking, forced labor, and online exploitation are mitigated; and so much more. The individuals we recognize today with our Department’s highest honor, the Secretary’s Award, reflect the very best of DHS – and in their selfless dedication to mission, the very best of public service.”

The DHS Secretary’s Awards are an annual program that recognizes the extraordinary individual and collective achievements of the workforce. The 190 awardees recognized in today’s ceremony represent FLETC, U.S. Citizenship and Immigration Services (USCIS), Transportation Security Administration (TSA), U.S. Coast Guard (USCG), Immigration and Customs Enforcement (ICE), Cybersecurity and Infrastructure Security Agency (CISA), U.S. Customs and Border Protection (CBP), Federal Emergency Management Agency (FEMA), Countering Weapons of Mass Destruction Office (CWMD) and the Management (MGMT) directorate.

“In recognizing these outstanding DHS personnel with a Secretary’s Award, we recognize all our talented personnel; the achievements of one are not possible without the contributions of others,” added Secretary Mayorkas. “We also express our appreciation to their families and loved ones; when one serves, the family serves too.”

This year’s award recipients developed and issued policy and procedures associated with a whole-scale transition to a new pay system for TSA; launched a series of coordinated and collaborative initiatives, operations and investigations targeting Transnational Criminal Organizations (TCOs) and national security threats operating and transiting through the Darien Gap region; arrested over 8,000 human smugglers, produced over 5,000 intelligence reports, and seized over $38M USD in real property; ensured over 2,300 vital alerts and warnings were provided to owners and operators of critical infrastructure to protect against cyberattacks; among many other achievements.

This year, DHS is holding nine Secretary’s Awards ceremonies across the country, honoring over 1,700 employees, the most annual awardees ever.

Last year, Secretary Mayorkas unveiled 12 priorities for the Department, including a commitment to champion the workforce and transform the employee experience. DHS has the third largest workforce of any federal department, behind the Department of Defense and Department of Veterans Affairs. The Department is home to more than 92,000 sworn law enforcement officers, the greatest number of law enforcement officers of any department in the federal government. DHS has committed to increasing the representation of women in law enforcement or related occupations at DHS to 30% by 2030. Over 54,000 veterans, or nearly 21% of the workforce, continue serving their country by working at DHS.

DHS operational components interact more frequently on a daily basis with the American public than any other federal department, from travelers moving through air, land, and sea ports of entry, to businesses importing goods into the country, to immigrants applying for services. To learn more about the impact DHS makes every day, visit: DHS.gov/TodayDHSWill.

Last year, DHS improved the efficiency of processing noncitizens at the Southwest Border, deployed across the country to respond to natural disasters, investigated cybercrimes, created a new streamlined process for adjudicating asylum applications, safely and securely resettled nearly 90,000 evacuated Afghans in the United States, provided resources for organizations to enhance their cybersecurity resilience, established a process for Ukrainian nationals seeking refuge, secured the 2022 midterm elections, and demonstrated heroism by acting quickly and courageously to save lives in harrowing circumstances.  

For the full list of awardees, visit  2024 Secretary’s Awards | Homeland Security (dhs.gov).

###

Source: US Department of Homeland Security

WASHINGTON – Today, the Department of Homeland Security (DHS) is sharing new resources for educators, school administrators, coaches, and others who work with kids and teens to better understand the risks of online child sexual exploitation and abuse (CSEA) and help them stay safe online. For the first time, Know2Protect, DHS’s national public awareness campaign to prevent online CSEA, is providing tips and classroom materials directly targeted for educators, with the goal of raising awareness of the importance of internet safety as part of everyone’s back-to-school routine. These Know2Protect resources are part of a new Back2School campaign that is connecting with dozens of teaching groups, educational associations, youth-serving organizations, and other partners who can reach kids in schools during the academic year.

“The dangerous and too-often tragic reality is that predators target children online,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Last year, there were more than 36 million reports of online child sexual exploitation worldwide. To combat this scourge, our Know2Protect campaign is equipping teachers, school administrators, and others – the trusted and well-positioned adults in whom children often confide – to help their students identify and prevent this crime. With a better understanding of online child sexual exploitation, tips for how to spot it when it occurs, and guidance on how to report incidents, we can protect our children online and save them from abuse and tragedy.”

“The Know2Protect Back2School resources are easy to understand, and they will help ensure that our Scouting parents and youth are better prepared to stay safe online,” explained Glen Pounder, Senior Vice President, and Chief Safeguarding Officer at Scouting America. “We are proud of our partnership with DHS and honored to be on the front line helping to protect children and youth online.”

“Empowering children with the knowledge to recognize and avoid the dangers of exploitation and abuse is critical in our mission to help make sure every child has a safe childhood,” said Derrick Driscoll, Chief Operating Officer of the National Center for Missing & Exploited Children. “Educational tools and resources, like DHS’s Know2Protect Back2School campaign, play a vital role in this effort. We are honored to partner with them, as together, we can make a real difference in protecting and educating our children.”

“Educators are often the first responders when it comes to dealing with the real-world impact of the horror of online child exploitation and abuse,” said American Federation of Teachers President Randi Weingarten. “They are dedicated to helping kids stay safe and to supporting them socially and emotionally when they encounter criminal activity. This back-to-school season, we are proud to be working with DHS to protect students and their families from this imminent and evolving threat.”

“Research shows the connection between students’ feelings of safety and security and the ability of their brains to learn,” said Elisa Villanueva Beard, Chief Executive Officer, Teach For America, and Chair, Homeland Security Academic Partnership Council (HSAPC). “DHS’s Know2Protect campaign and the resources they are providing are important steps to raise awareness of the prevalence of online threats against our country’s most precious resource, our children, and the need for all of us to be active in the effort to address these threats. Working together, we can ensure every child can learn, lead, and thrive without fear of being targeted online.”

“Keeping students safe online can sometimes feel like an overwhelming task for educators and parents alike,” said Suzanne Walsh, President of Bennett College. “Know2Protect’s Back2School campaign brings all relevant resources into one location. These resources are easy to access and use to help adults help students.”

One in five children receives an unwanted sexual solicitation online every year, according to statistics from the Department of Justice. Educating children and teens about these risks and what to do if they are targeted by online predators is key to preventing these heinous crimes. To reach more kids and teens during the busy back-to-school season, Know2Protect is supporting teachers, coaches, and school administrators who will spend more time with kids as the school year starts. kids as the school year starts.

To reach as many students as possible, Know2Protect is connecting with dozens of youth-serving and educational associations across the country to share our Back2School resources.  Know2Protect has developed several important educational, age-appropriate, downloadable #Back2School with Know2Protect resources to help keep kids safe online:

• Resources2Educate, including our short iGuardian Training Videos, Tips2Identify Exploitation and Abuse for Educators, and other tips for kids, teens, and parents to stay safe online.
• Resources2Send Home, such as the Know2Protect First Day of School Picture Sign, a Family Online Safety Agreement, and an Internet Safety Checklist to prompt families to think about online safety at home.
• Resources2Display in Your School, such as digital and printable posters and tipsheets to display in classrooms, hallways, and more.
• Activities for the Classroom, such as 10 Minutes2Protect activities using Tips2Protect for Teens, Crossword Puzzle, Word Search, All-out Bingo, Project iGuardian Coloring Pages, and Project iGuardian Avatars.

Educators and administrators can also book a free in-person or virtual training for their school, their after-school program, a teacher/staff lunch-and-learn, or a PTA meeting. These age-appropriate educational presentations are provided by special agents from Homeland Security Investigations (HSI) and the U.S. Secret Service. To date, Know2Protect has educated over 82,900 adults and children and completed over 1,000 events and presentations to spread awareness and prevention tactics about online CSEA. To request a presentation, please visit www.know2protect.gov/training. The campaign is committed to reaching more than 100,000 people through trainings by the end of this school year.

The Back2School resources build on Know2Protect’s ongoing efforts to reach children, parents, and trusted adults where they are through innovative partnerships with technology companies, national and international sports leagues, youth-serving organizations and nonprofits, and other private sector partners. Starting in August, Project iGuardian, Know2Protect’s in-person educational arm, is teaming up with the National Association of Police Athletic/Activities Leagues (PAL), which has over 300 chapters serving two million youth annually, to provide in-person training. Lamar Advertising is featuring public service announcements from Know2Protect on digital billboards across the country. NASCAR is featuring educational content for children on its NASCAR Kids homepage and disseminating tips for partners through its online newsletter. More partner activations are set to launch in the coming days and weeks.

Know2Protect is the first federal government campaign focused on the education and prevention of online CSEA. The campaign’s mission is to mobilize young people, parents, educators, and community leaders to learn the signs of this crime, what they can do to prevent it, how to report it to law enforcement, and how they can support survivors. Since its launch in April, DHS has established partners in government, education, sports, technology, youth-serving organizations, and several other industries to meet people where they are and deliver the campaign’s preventative tips to keep kids safe.

Early intervention is crucial. If exploitation happens, approach conversations with care and empathy and report immediately to the Know2Protect Tipline at 833-591-KNOW (5669) or visit the NCMEC CyberTipline at https://report.cybertip.org. All information received via the Tipline will be reviewed by appropriate personnel and referred to HSI field offices for potential investigation.

Source: US Department of Homeland Security

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
• CVE-2024-38178 Microsoft Windows Scripting Engine Memory Corruption Vulnerability
• CVE-2024-38213 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
• CVE-2024-38193 Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability
• CVE-2024-38106 Microsoft Windows Kernel Privilege Escalation Vulnerability
• CVE-2024-38107 Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Source: US Department of Homeland Security

UFLPA Entity List Will Now Restrict Goods from 73 PRC-Based Companies from Entering the United States 
 

WASHINGTON – Today, the U.S. Department of Homeland Security (DHS) announced the addition of five entities based in the People’s Republic of China (PRC) to the Uyghur Forced Labor Prevention Act (UFLPA) Entity List, bringing the total entities listed to 73. These additions build on DHS’s commitment to eradicate forced labor and promote accountability for the PRC’s ongoing genocide and crimes against humanity against Uyghurs and other religious and ethnic minority groups in the Xinjiang Uyghur Autonomous Region (XUAR). 

Effective August 9, 2024, U.S. Customs and Border Protection (CBP) will apply a rebuttable presumption that goods produced by Century Sunshine Group Holdings, Ltd., Kashgar, Construction Engineering (Group) Co.; Ltd., Rare Earth Magnesium Technology Group Holdings, Ltd.; Xinjiang Habahe Ashele Copper Co., Ltd., and Xinjiang Tengxiang Magnesium Products Co., Ltd. will be prohibited from entering the United States. 

“As DHS identifies more entities across different sectors that use or facilitate forced labor, we act to keep their tainted goods out of our nation’s supply chains,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Today’s announcement strengthens our enforcement of the Uyghur Forced Labor Prevention Act and helps responsible companies conduct due diligence so that, together, we can keep the products of forced labor out of our country.  We will continue to implement this law with full force in our efforts to fight the exploitation and abuse of the Uyghur people and other persecuted groups and protect a free and fair market.” 

Including the five entities identified today, the FLETF – chaired by DHS and whose member agencies also include the Office of the U.S. Trade Representative and the U.S. Departments of Commerce, Justice, Labor, State, and the Treasury – has added 73 entities to the UFLPA Entity List since the UFLPA was signed into law in December 2021. The UFLPA Entity List includes companies that are active in the apparel, agriculture, polysilicon, plastics, chemicals, batteries, household appliances, electronics, and food additives sectors, among others. Identifying these additional entities provides U.S. importers with more information to conduct due diligence and examine their supply chains for risks of forced labor to ensure compliance with the UFLPA. 

“We have shown again through today’s enforcement actions that the United States is committed to keeping goods made with forced labor out of U.S. supply chains,” said DHS Under Secretary for Policy Robert Silvers, who serves as Chair of the FLETF. “Companies must conduct due diligence and know where their products are coming from. The Forced Labor Enforcement Task Force will continue to designate entities in a variety of sectors that meet the criteria for inclusion on the UFLPA Entity List, and U.S. Customs and Border Protection will continue its vigilant enforcement at our ports.”   

The FLETF has reasonable cause to believe, based on specific and articulable information, that two entities meet the criteria for inclusion under Section 2(d)(2)(B)(ii) of the UFLPA by working with the government of the XUAR to recruit, transport, transfer, harbor or receive forced labor of Uyghurs, Kazakhs, Kyrgyz, or members of other persecuted groups out of the XUAR; two entities meet the criteria for inclusion under Section 2(d)2(B)(v) of the UFLPA, which identifies facilities and entities that source material from the XUAR or from persons working with the government of Xinjiang or the Xinjiang Production and Construction Corps for purposes of the “poverty alleviation” program or the “pairing-assistance” program or any other government labor scheme that uses forced labor; and one entity meets both criteria under Sections 2(d)(2)(B)(ii) and (v) of the UFLPA.  

Xinjiang Habahe Ashele Copper Co., Ltd. is a company located in the XUAR that mines nonferrous metals, including zinc, copper and silver. Xinjiang Habahe Ashele Copper Co., Ltd. is a subsidiary of one of the world’s largest mining company, and produces approximately 10% of that company’s copper and silver. The United States Government has reasonable cause to believe, based on specific and articulable information,  that Xinjiang Habahe Ashele Copper Co., Ltd. works with the government of the XUAR to recruit, transport, transfer, harbor, or receive Uyghurs, Kazakhs, Kyrgyz, or members of other persecuted groups out of the XUAR. Information reviewed by the FLETF, including publicly available information, indicates that Xinjiang Habahe Ashele Copper Co., Ltd. works with the Habahe County government of the XUAR to recruit Kazakh workers through PRC labor programs to mine metals, such as zinc, copper, and silver in the XUAR . The FLETF therefore determined that the activities of Xinjiang Habahe Ashele Copper Co., Ltd. satisfy the criteria for addition to the UFLPA Entity List described in section 2(d)(2)(B)(ii).   

Kashgar Construction Engineering (Group) Co., Ltd. is a company based in Kashgar, Xinjiang, China, that manufactures structural components and materials for construction, and is  engaged in general construction, construction engineering and operations, and real estate development and operations. The United States Government has reasonable cause to believe, based on specific and articulable information, that Kashgar Construction Engineering (Group) Co., Ltd. works with the government of the XUAR to recruit, transport, transfer, harbor, or receive Uyghurs, Kazakhs, Kyrgyz, or members of other persecuted groups out of the XUAR. Information reviewed by the FLETF, including publicly available information, indicates that Kashgar Construction Engineering (Group) Co., Ltd. has repeatedly participated in the transfer and recruitment of ethnic minorities from Xinjiang, including Uyghurs, through Jiashi County Xinjiang government labor programs. The FLETF therefore determined that the activities of Kashgar Construction Engineering (Group) Co., Ltd. satisfy the criteria for addition to the UFLPA Entity List described in section 2(d)(2)(B)(ii).  

Century Sunshine Group Holdings, Ltd. is a company based in Hong Kong that manufactures magnesium fertilizer and magnesium alloys. The United States Government has reasonable cause to believe, based on specific and articulable information, that Century Sunshine Group Holdings, Ltd. sources material, specifically magnesium, from the XUAR. Information reviewed by the FLETF, including publicly available information, indicates that Century Sunshine Group Holdings, Ltd. has established its magnesium production base in the XUAR through its vertically-integrated subsidiaries, and sources magnesium from the XUAR. The FLETF therefore determined that the activities of Century Sunshine Group Holdings, Ltd. satisfy the criteria for addition to the UFLPA Entity List described in section 2(d)(2)(B)(v).  

Rare Earth Magnesium Technology Group Holdings, Ltd. is a company based in Hong Kong that manufactures and sells magnesium alloy products. The United States Government has reasonable cause to believe, based on specific and articulable information, that Rare Earth Magnesium Technology Group Holdings, Ltd. sources material, specifically magnesium, from the XUAR.  Information reviewed by the FLETF, including publicly available information, indicates that Rare Earth Magnesium Technology Group Holdings, Ltd., a principal subsidiary of Century Sunshine Group Holdings, Ltd., operates Century Sunshine Group Holdings, Ltd.’s magnesium product business, and sources magnesium from its magnesium production base located in the XUAR. The FLETF therefore determined that the activities of Rare Earth Magnesium Technology Group Holdings, Ltd. satisfy the criteria for addition to the UFLPA Entity List described in section 2(d)(2)(B)(v).  

Xinjiang Tengxiang Magnesium Products Co., Ltd. is a company based in Hami, Xinjiang, China, that manufactures magnesium and magnesium alloy products. The United States Government has reasonable cause to believe, based on specific and articulable information, that Xinjiang Tengxiang Magnesium Products Co., Ltd. works with the government of the XUAR to recruit, transport, transfer, harbor, or receive Uyghurs, Kazakhs, Kyrgyz, or members of other persecuted groups out of the XUAR. Information reviewed by the FLETF, including publicly available information, indicates that Xinjiang Tengxiang Magnesium Products Co., Ltd. receives Uyghurs or members of other persecuted groups that the local Yizhou District government transfer from Xinjiang. The United States Government also has reasonable cause to believe, based on specific and articulable information, that Xinjiang Tengxiang Magnesium Products Co., Ltd. sources material, specifically the raw materials required to produce magnesium, such as coal and dolomite, from the XUAR.  Information reviewed by the FLETF, including publicly available information, indicates that Xinjiang Tengxiang Magnesium Products Co., Ltd., a wholly-owned subsidiary of Rare Earth Magnesium Technology Group Holdings, Ltd. and a principal subsidiary of Century Sunshine Group Holdings, Ltd., operates a magnesium production facility in the XUAR and sources raw materials from the XUAR, including coal and dolomite, to produce magnesium. The FLETF therefore determined that the activities of Xinjiang Tengxiang Magnesium Products Co., Ltd. satisfy the criteria for addition to the UFLPA Entity List described in sections 2(d)(2)(B)(ii) and 2(d)(2)(B)(v).  

The bipartisan Uyghur Forced Labor Prevention Act, signed into law by President Joseph R. Biden, Jr., in December 2021, mandates that CBP apply a rebuttable presumption that goods mined, produced, or manufactured wholly or in part in the XUAR or produced by entities identified on the UFLPA Entity List are prohibited from importation into the United States unless the Commissioner of CBP determines, by clear and convincing evidence, that the goods were not produced with forced labor. CBP began enforcing the UFLPA in June 2022.  Since then, CBP has reviewed over 9,000 shipments valued at more than $3.4 billion under the UFLPA.  Additionally, Homeland Security Investigations, through the DHS Center for Countering Human Trafficking, conducts criminal investigations into those engaging in or otherwise knowingly benefitting from forced labor, and collaborates with international partners to seek justice for victims.    

Today’s announcement supports President Biden’s Memorandum on Advancing Worker Empowerment, Rights, and High Labor Standards Globally.  The memorandum represents the first whole-of-government approach to advance workers’ rights by directing federal agencies engaged abroad to advance international recognized labor rights, which includes DHS’s work implementing the UFLPA.  

This expansion of the UFLPA Entity List reflects DHS’s prioritization of efforts to combat the introduction of forced labor into U.S. supply chains. This commitment is outlined in the Department’s recent Quadrennial Homeland Security Review, which added combating crimes of exploitation, including labor exploitation, as the newest and sixth DHS mission. Last month, DHS published updates to the UFLPA strategy, which outlines how the FLETF has significantly advanced our objectives through several initiatives including strong enforcement by CBP; expansion of the UFLPA Entity List; designating new high priority sectors for enforcement; and greater collaboration with stakeholders.

You can read more about the FLETF by visiting: https://www.dhs.gov/uflpa.