T-Mobile Breached Again: A Closer Look at Salt Typhoon’s Espionage Tactics

T-Mobile has found itself in the cybersecurity spotlight yet again. This time, the culprit is Salt Typhoon, a Chinese state-sponsored hacking group. Here’s what we know so far—and why this incident could have far-reaching implications. 

The Attack: What Happened?

T-Mobile recently disclosed that it was targeted by Salt Typhoon. The company claims no customer data was compromised, but federal agencies like the FBI and CISA disagree [2]. According to these agencies, sensitive data—including call records, private messages, and even law enforcement surveillance requests—was accessed. This conflicting information leaves many questioning the true scope of the attack.

Who Is Salt Typhoon?

Salt Typhoon is an Advanced Persistent Threat (APT) group linked to the Chinese government. APTs are not your average hackers—they are elite, well-funded groups that conduct long-term, covert cyber espionage campaigns. In this case, Salt Typhoon targeted telecommunications companies, likely aiming to steal sensitive information for political and strategic gain.

 

How Did They Do It?

Salt Typhoon exploited a vulnerability tied to the Communications Assistance for Law Enforcement Act (CALEA) [5]. This U.S. law mandates that telecom providers include backdoors in their systems to enable legal wiretapping. Unfortunately, these backdoors also create opportunities for exploitation. Salt Typhoon leveraged this loophole to infiltrate telecom networks.

Who Is Affected?

While T-Mobile is the latest victim, Salt Typhoon has reportedly targeted other major U.S. internet service providers, including:

  • AT&T
  • Verizon
  • Lumen Technologies

This suggests a widespread vulnerability across the U.S. telecommunications sector[4].

Why Does It Matter?

Salt Typhoon’s motives seem clear: gather intelligence to advance China’s geopolitical objectives[1]. This includes collecting information on Chinese nationals under U.S. government surveillance, as well as broader political, economic, and technological espionage.

The implications are chilling:

  • Espionage Potential: Stolen data could be used for surveillance or counterintelligence.
  • Economic Risks: Access to critical infrastructure like telecom networks can disrupt commerce.
  • National Security Threats: The ongoing cyberwarfare between nation-states underscores the urgent need for stronger cybersecurity measures.

What’s Next?

Cybersecurity experts warn that this is likely not the last attack from Salt Typhoon. The group is expected to continue targeting U.S. telecommunications and critical infrastructure providers. To mitigate these threats, the industry must prioritize:

  • Regular audits of backdoor mechanisms
  • Collaboration between private companies and government agencies

Key Takeaway

The Salt Typhoon attack on T-Mobile is not just a corporate problem; it’s a national security issue. With critical infrastructure at risk, the need for proactive cybersecurity measures has never been more urgent. As the cyberwarfare between nation-states intensifies, the question remains: Are we prepared to defend against the next attack?

Citations: 

  1. Dark Reading. (2024). Salt Typhoon Targets Telecom in Attack Spree. Retrieved from https://www.darkreading.com/cloud-security/salt-typhoon-tmobile-telecom-attack-spree
  2. InfoSecurity Magazine. (2024). T-Mobile Breached by Chinese Hackers. Retrieved from https://www.infosecurity-magazine.com/news/tmobile-breached-chinese/
  3. The Hacker News. (2024). Chinese Hackers Exploit T-Mobile Systems. Retrieved from https://thehackernews.com/2024/11/chinese-hackers-exploit-t-mobile-and.html
  4. Daniel, L. (2024). T-Mobile Hack Linked to Chinese State-Sponsored Hackers. Forbes. Retrieved from https://www.forbes.com/sites/larsdaniel/2024/11/16/t-mobile-hack-linked-to-chinese-state-sponsored-hackers/
  5. The Wall Street Journal. (2024). T-Mobile Hacked in Massive Chinese Breach of Telecom Networks. Retrieved from https://www.wsj.com/politics/national-security/t-mobile-hacked-in-massive-chinese-breach-of-telecom-networks-4b2d7f92

Did Apple Lie to Us? The Truth Behind M-Series Chips’ Security Promises.

Apple has long championed its commitment to security, boasting campaigns centered around the mantra of “Security. Built right in.” The M-series chips, praised for being “Designed to protect your privacy” and offering “Automatic protections from intruders,” are fundamental to this promise [1]. However, recent revelations have uncovered vulnerabilities in these very chips.

Did Apple Break Their Promise?

Apple’s M-series chips, like the M1, M2, and M3, have a flaw that lets attackers trick the processor into revealing secret encryption keys. This exploit, named GoFetch, targets the chips’ data memory-dependent prefetcher (DMP), which predicts which data will be accessed next [2].

Tech note: DMP is a component within a computer’s processor that works to optimize performance by predicting which data the CPU will need to access from the computer’s memory (RAM) in the near future.

By manipulating this feature, attackers can access the machine’s memory cache and potentially expose encryption keys. Unfortunately, this flaw is inherent in the chip’s design, making it difficult to patch. While cryptographic developers can create mitigation techniques, there’s little users can do to address the issue directly.

Vulnerability Summary: 

Let’s break down the exploit more simply.

Problem: Apple’s M-series chips, found in Mac computers, have a weakness that lets bad actors uncover secret encryption keys.

How: The flaw lies in a part of the chip called the DMP, which guesses what data the computer will need next. Attackers can manipulate this guessing game to peek into the computer’s memory and find encryption keys.

What does this mean: Encryption keys are like secret codes that keep your data safe. If someone gets hold of these keys, they can unlock and see your private information.

Can it be fixed: Unfortunately, the flaw is built into the chip itself, so it’s really hard to patch up. While experts might find ways to make it tougher for attackers, regular users can’t do much to directly fix it.

Final Thoughts: 

In simple terms, it’s like having a lock on your door that you can’t fully trust because someone found a sneaky way to get the key.

But here’s the catch: this flaw isn’t just a software bug that can be patched with a quick update. It’s deeply ingrained in the chip’s design, leaving users and experts alike scrambling for solutions in the face of an unfixable problem.

Ultimately, this vulnerability highlights the stark truth that no matter how carefully designed a system may be, it is still susceptible to exploitation. It prompts consideration of the complex relationship between innovation and security, stressing the ongoing necessity to remain watchful in response to constantly changing threats. As users, it’s vital for us to acknowledge this vulnerability and support the adoption of strong security measures, understanding that achieving complete security may be difficult.

Scattered Spider is Causing Arachnophobia

Why is there so much fear around Scattered Spider? 

Are they employing more sophisticated attack methods, or are systems becoming decreasingly proactive in defending against these threats?

Let’s talk tech!

Who is Scattered Spider?

Scattered Spider, also identified as UNC3944, is a financially driven threat actor group recognized for its adept application of social engineering techniques to breach targeted devices. They exhibit persistence, subtlety, and swiftness in their activities. Upon gaining access, Scattered Spider refrains from deploying specialized malware and, instead, depends on existing remote management tools to sustain their access.

This threat actor group first emerged in May 2022 and gained greater recognition in September 2023 due to their cyber attack on the casino industry leader MGM

MGM Breach: 

According to reports, this group successfully infiltrated MGM’s systems by conducting open-source intelligence (OSINT) on employees, gathering enough information to subsequently impersonate them, and then reached out to the IT help desk to obtain access to credentials. 

This form of social engineering attack is referred to as “vishing.” It involves gaining access to systems through persuasive phone calls, as opposed to “phishing,” which is typically carried out via email.

Historically, Scattered Spider utilizes a combination of the following social engineering techniques to gain login control:

SMS phishing. Utilizes text messages on mobile devices to deceive individuals into downloading malicious software, disclosing sensitive information, or transferring funds.

SIM swapping. The malicious actor attempts to take control of an individual’s phone number by having the victim’s mobile carrier assign the phone number to a new SIM card

MFA fatigue. The hacker initially acquires the target’s login credentials and then persistently triggers multi-factor authentication (MFA) notifications to the account holder until the individual inadvertently grants approval for the login attempt.

After gaining access, instead of employing conspicuous malware that could lead to detection, they opt for a patient approach and rely on remote management tools to sustain continuous access without drawing attention. By focusing on the remote management tools, they are able to monitor, analyze, and access the company’s computers, devices, IT infrastructure, and systems. This approach renders Scattered Spider highly dangerous and, if undetected, the victim becomes exceptionally vulnerable to complete exploitation, as was the case with MGM.

Stages of the Attack:

Three are two main stages for this attack to be successful: 

1. The Intrusion.

The primary objective at this stage is to acquire user credentials to secure access to the targeted system.

2. Remaining in System. 

The key objective in this stage is to sustain access within a system, all while discreetly navigating the process of acquiring the desired access or information without detection.

Protection Measures

As with social engineering attacks, user training and awareness should be the initial line of defense. Nevertheless, it’s essential to recognize that relying solely on these types of training is not foolproof due to the inevitability of human errors. Therefore, it is strongly recommended to adopt a more controlled and proactive approach to security measures.

User Monitoring is a controlled  practice of observing and tracking the activities, behaviors, and interactions of individuals using computer systems, networks, and digital resources within an organization. This includes:

User Activity Tracking. Monitoring tools record user actions, including login/logout times, file access, application usage, and data transfers. This data can help in understanding normal user behavior and identifying anomalies.

Access Control. User monitoring is often used to manage and control access to sensitive data and resources. It ensures that users are granted appropriate permissions and access levels based on their roles and responsibilities.

Data Loss Prevention (DLP). User monitoring can be part of a DLP strategy by tracking the movement of sensitive data within an organization. It helps prevent data leaks or unauthorized sharing.

In today’s environment, Threat Actor Tracking has evolved into a critical necessity. This is due to the fact that cybercriminals are increasingly involved in a wider range of activities that have the potential to jeopardize the confidentiality, integrity, or availability of data and assets belonging to individuals, businesses, and governmental entities. The following steps should actively be taken to maximize cyber protection: 

Threat Actor Profiling. Proactive profiling of the threat actor, outlining their capabilities, resources, and historical activities. This profile can help in understanding the actor’s patterns and potential future actions.

Incident Investigation. If there is a specific incident or attack associated with the threat actor, conduct a detailed investigation to understand the attack vector, impact, and methods used. This may involve forensics analysis and incident response.

Behavior Analysis. Analyze the threat actor’s behavior over time to identify patterns, trends, and changes in their tactics, techniques, and procedures (TTPs). This can provide insights into their evolution and adaptation.

Technical Analysis. Study the technical aspects of the attacks, including malware analysis, network traffic analysis, and vulnerabilities exploited. This can reveal technical signatures associated with the threat actor.

Sharing Threat Intelligence. As mentioned in my previous post, Cybersecurity – A Pillar of Modern Business – According to the CISA, the information gathered through threat actor tracking can be shared with other organizations, government agencies, and the broader cybersecurity community. This collaborative approach enhances collective defenses and provides early warnings to potential targets.

Final Thoughts 

The attack strategies employed by Scattered Spider, such as SMS phishing, SIM swapping, and exploiting MFA fatigue, underscore the need for robust cybersecurity defenses. Their ability to infiltrate systems, impersonate employees, and use social engineering tactics demonstrates their evolving techniques.

To counter these threats, organizations must prioritize user training and awareness while recognizing the inherent risks of human error. A controlled and proactive approach to security measures is recommended. User monitoring, threat actor profiling, and the sharing of threat intelligence are essential components of a comprehensive cybersecurity strategy.

Threat actor tracking has become imperative in the contemporary digital landscape, given the expanding range of activities cybercriminals engage in to compromise data and assets. This proactive stance is critical to safeguarding digital environments against evolving threats like Scattered Spider and ensuring the integrity and security of sensitive data and assets.

 

Elevating Cybersecurity with NIST CSF 2.0

The Cybersecurity Framework (CSF) by the National Institute of Standards and Technology (NIST) is undergoing a significant update. Initially launched in 2014, the NIST CSF has become one of the most extensively used cybersecurity frameworks, helping organizations in understanding and controlling cybersecurity vulnerabilities. NIST has modernized their framework with their release of CSF 2.0, to harmonize with the latest trends and practices in cybersecurity. 

Govern Pillar Update:

NIST CSF is known for the main five pillars of: Identify, Protect, Detect, Respond, and Recover. As a part of its 2.0 update, NIST is contemplating the integration of a sixth pillar, Govern. NIST’s intention behind introducing the Govern function is to highlight the importance of “organization’s cybersecurity risk management strategy, expectations, and policy”. [1] 

Initial thoughts on the Govern Pillar: 

The incorporation of the “Govern” function introduces a framework for structuring cybersecurity strategies that align directly with business objectives. Through the establishment of well-defined goals, objectives, and policies that govern the entirety of the cybersecurity program, a deliberate effort is made to ensure harmony with the organization’s overarching business goals. This inclusive approach integrates the business dimension, enabling businesses to proficiently manage risks in order to protect their assets, maintain their reputation, and sustain operations, even in the midst of constantly evolving threats. 

Within the CSF, I believe that the inclusion of the Govern pillar entails aligning cybersecurity strategic plans with business objectives through the following means:

Increased Accountability. By assigning roles and responsibilities across different levels, it designates accountability  for decision-making, risk assessment, and compliance with cybersecurity policies and regulations.

Compliance.  There is an alignment with incorporating relevant standards, regulations, and best practices to demonstrate compliance with legal and regulatory requirements. This allows organizations to maintain a consistent level of cybersecurity across the industry.

Incident Response. Enhancement of crisis management to ensures that the organization has a well-defined plan to minimize the impact of incidents and recover quicky.

Improvement. Govern embraces a culture of continuous improvement. With the regular assessments, audits, and reviews to identify areas for enhancement and adjustment. 

Risk Management. Organizations identify, assess, and prioritize cybersecurity risks based on their potential impact and likelihood, and then implement appropriate mitigation strategies.

Policy Incorporations. With defined policies, procedures, and controls, organization can address specific risks that are consistent with industry and the best practices and regulatory requirements.

Resource allocation. Maintaining an organization that has the necessary tools and personnel to effectively manage cybersecurity risks.

Increased Communication. Embeds communication between technical and non-technical stakeholders, to ensure cybersecurity matters are effectively communicated, therefore,relevant metrics and reports are provided to enable informed decision-making.

Overall Thoughts on the 2.0 Update 

The significance of updating the NIST CSF is rooted in its capacity to reflect the latest advancements in cybersecurity knowledge and practices. The CFT 2.0 update ensures that the framework remains an effective and relevant tool, providing organizations with current insights and strategies to safeguard against emerging threats, thus promoting heightened resilience and proactive cybersecurity measures.

There is an enhanced focus on supply chain risk, which is rooted in the critical role that supply chains play in today’s interconnected business environment. Addressing supply chain risk within the framework recognizes the potential vulnerabilities and threats that can emerge from third-party vendors and partners that can enhance organizational cybersecurity. 

While the NIST CSF doesn’t have a direct focus on global political conflicts, its underlying principles and best practices play a substantial role in the overall cybersecurity readiness of both organizations and nations.The CSF’s importance lies in its emphasis on improving cybersecurity practices and resilience across sectors, surrounding critical infrastructures, government entities, and private enterprises. This, in turn, enhances their ability to mitigate risks and respond effectively to cyber threats that might arise during times of international tensions.

NIST encourages feedback on the new CFT. Below were my submitted suggestions: 

Section 

Location  

Suggestion 

Govern

GV.OC-02: Internal and external stakeholders are determined, and their needs and expectations regarding cybersecurity risk management are understood

Wording changes to add clarity in identifying and defining stakeholders and expectations.

Proposed change: Internal and external stakeholders are identified, and their needs and expectations regarding cybersecurity risk management are defined.

Govern 

GV.RM: The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (formerly ID.RM)

Assumptions should not be defined, rather expectations should be. 

Proposed change: The organization’s priorities, constraints, risk tolerance and appetite statements, and expectations are established, communicated, and used to support operational risk decisions. 

Govern

GV.RM-07: Strategic opportunities (i.e., positive risks) are identified and included in organizational cybersecurity risk discussions

The term positive risks does not need to be defined, it creates a detraction of importance with  other strategic opportunities . 

Govern

GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships 

Due diligence is vague, consider defining the expectations for this. 

Govern

GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement 

Consider expanding plans to include all stages of partnership not just after events.

Govern 

GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced (formerly ID.AM-06, ID.GV-02, DE.DP-01) 

Should include roles and responsibilities being continuously reviewed against the organization’s focus. 

Govern

GV.RR-03: Adequate resources are allocated commensurate with cybersecurity risk strategy, roles and responsibilities, and policies

Stating “adequate” resources is unnecessary when adequate is not defined. 

Identify 

ID.AM-01 /  ID.AM-02

ID.AM-01: Inventories of hardware managed by the organization are maintained 

ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained

Consider being inclusive of all assets managed outside the organization, while impacting the organization. 

Identify

ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained (formerly ID.AM-03, DE.AE-01)

The organization’s approved network communication should encompass both internal and external channels. Avoiding the separation of network data flows based on the type of communication is recommended. 

Identify

ID.AM-04: Inventories of services provided by suppliers are maintained 

Services and assets should be included for inventories. 

Identify

ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained

Does the inclusion of metadata data include the logs designated to the data types? 

Identify

ID.RA-01 / ID.RA-02

ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded 

ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources

The categories should encompass the requirement not only to receive cyber threat intelligence but also to seamlessly integrate it into the organization’s risk management procedures. Additionally, the categories should outline actionable measures involving vulnerabilities in assets that need enhancement.

Identify 

ID.RA-06: Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated 

Consider adding a section to address lessons learned from an incident to increase security. 

Identify

ID.IM-04: Cybersecurity plans that affect operations are communicated, maintained, and improved (formerly PR.IP-09)

Expand to all cybersecurity plans, rather than those that only affect operations. 

Protect

PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization (formerly PR.AC-01)

There should also be constant protection for identities and credentials of authorized users. 

Proposed change: Identities and credentials for authorized users, services, and hardware are managed and protected by the organization. 

Protect

Awareness and Training (PR.AT): The organization’s personnel are provided cybersecurity awareness and training so they can perform their cybersecurity-related tasks

Organization’s personnel impacting cybersecurity should have defined roles and expectations in order to impose training. 

Protect

PR.DS-01 / PR.DS-02

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected

PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected 

Consider moving PR.DS-10 under here for continuity as they are all correlated. 

Protect

PR.DS-09: Data is managed throughout its life cycle, including destruction 

Singling out “destruction” is too descriptive and should be addressed in implementation examples. Destruction is included in the life cycle already. 

Protect

PR.DS-11: Backups of data are created, protected, maintained, and tested

Backups of data should also be verified. Consider incorporating “verified” into a category. 

Protect

PR.PS-04: Log records are generated and made available for continuous monitoring

Log records that are generated should not only be used for continuous monitoring, but also for proactive change for strength of the framework. 

Protect

PR.PS-05: Installation and execution of unauthorized software are prevented 

For unauthorized software installation prevention – if software needs installation it is verified and added to the authorized list. 

Protect

PR.IR-01: Networks and environments are protected from unauthorized logical access and usage

Networks and environments should also be continuously protected from unauthorized logical access and usage.

Detect

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities

Adverse events narrows down the type of events that should be reviewed, when all impacting events should be reviewed. 

Detect

DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis

As cyber threat intelligence and other contextual information are integrated into the analysis, there should also be a proactive step included for cybersecurity protection.

Detect

DE.CM-01: Networks and network services are monitored to find potentially adverse events

Not only to locate adverse events in the detect stage, but any event that may threaten the security of a system. 

Respond

RS.AN-08: The incident’s magnitude is estimated and validated 

Incidents are not validated, rather they are irradiated and addressed for impact. 

Recover 

RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration

Integrity of backups and other restoration assets should be verified before storage too. 

 

Reference:

[1] National Institute of Standards and Technology. (2023). NIST Cybersecurity Framework 2.0 Core Discussion Draft [Draft]. https://www.nist.gov/system/files/documents/2023/04/24/NIST%20Cybersecurity%20Framework%202.0%20Core%20Discussion%20Draft%204-2023%20final.pdf

Cybersecurity – A Pillar of Modern Business – According to the CISA

Cybersecurity is no longer just an afterthought, but an integral pillar of modern business.

This shift is detailed in the newly updated Strategic Plan from the Cybersecurity and Infrastructure Security Agency (CISA).

In this post, we discuss how the plan is geared towards strengthening cybersecurity across diverse sectors, tackling immediate threats, elevating security measures, and expanding security on a larger scale. As CISA emphasizes cooperation, innovation, and the growth of a digital future, the plan charts a strategic path forward. Let’s talk about it! 

Who is the CISA?

CISA is a US government agency responsible for enhancing the cybersecurity and resilience of the nation’s critical infrastructure creating a secure and reliable digital environment. 

Their primary mission is to shield against cyber risks originating from both national and international origins, with the potential to disrupt critical infrastructure sectors like energy, healthcare, finance, transportation, and technology. The agency plays a critical role in protecting both government and private sector systems from cyberattacks, data breaches, and other cyber threats.

What is the importance of CISA’s newly updated Strategic Plan? 

This plan “is the agency’s first, comprehensive strategic plan since CISA was established in 2018”[1]. But why is it so important?

The plan was molded to fit with our nation’s heavy reliance on technology for vital services, making us vulnerable to malicious cyber actors. With the vulnerabilities of enterprises and technology products, there is always  a risk of cyber threats. However, a solution exists. Changing the way technology products are designed, ensuring security controls are built-in, and swiftly detecting and mitigating incidents are key steps. The strategy highlights the importance of technical collaboration to further enhance security. 

Main takeaways on the Strategic Plan

The Cybersecurity Strategic Plan outlines three goals [2]:

Goal 1 – Address Immediate Threats

The plan aims to make it harder for adversaries to target American networks. This involves gaining insight into intrusion attempts, disrupting threat actor campaigns, responding to breaches, and accelerating the fixing of vulnerabilities often exploited by attackers.

Goal 2 – Harden the Terrain

Efforts will be directed towards promoting and measuring the adoption of strong security practices. This includes offering actionable guidance to organizations, assisting them in prioritizing effective security investments, and evaluating progress in terms of security measures on both organizational and national levels.

Goal 3 – Drive Security at Scale

This goal emphasizes prioritizing cybersecurity as a core safety concern and encouraging technology providers to embed security throughout the lifecycle of their products. It also emphasizes building a diverse national cybersecurity workforce and harnessing the potential of technologies like artificial intelligence and quantum computing.

Comparison with NIST Cybersecurity Framework Core: 

Both the NIST Cybersecurity Framework Core and CISA’s Strategic Plan emphasize the importance of identifying and addressing vulnerabilities to enhance cybersecurity resilience. The NIST framework provides a structured framework for managing and mitigating cyber risks across various categories, while CISA’s plan outlines specific goals to address immediate threats, strengthen defenses, and drive security at scale.

Future Plans for CISA: 

The strategy’s initial focus is on enhancing core cybersecurity functions for maximum effectiveness [3]. Strengthening defense operations to swiftly identify, prevent, and address threats and vulnerabilities is a priority. However, this is just the beginning. The plan envisions a future where technology is intentionally designed, tested, and maintained to minimize exploitable flaws before entering the market. 

Takeaways on CISA’s Strategic Plan: 

The strategic plan highlights the importance of collaboration, innovation, and accountability. It emphasizes the necessity of strong cooperation among government, industry, security researchers, and the global community. The plan also recognizes that shared responsibility and coordinated accountability are essential for establishing cybersecurity as a fundamental business concern. 

There is an urgency to unite efforts, set priorities, and expedite actions, because adversaries are persistent. Therefore, the plan creates a necessary proactive strategy aimed to tackle modern cyber risks and shape a more resilient framework for the future.

What are your thoughts? 

 

References

  1. “CISA Strategic Plan.” Cybersecurity and Infrastructure Security Agency. Retrieved from https://www.cisa.gov/strategic-plan
  2. Cybersecurity and Infrastructure Security Agency. (2023). FY 2024-2026 Cybersecurity Strategic Plan. Retrieved from https://www.cisa.gov/sites/default/files/2023-08/FY2024-2026_Cybersecurity_Strategic_Plan.pdf
  3. “Cybersecurity Strategic Plan.” Cybersecurity and Infrastructure Security Agency. Retrieved from https://www.cisa.gov/cybersecurity-strategic-plan