CISA releases Eviction Strategies Tool for cyber incident response
Summary
Hide β²
Show βΌ
The Cybersecurity and Infrastructure Security Agency (CISA) has released the Eviction Strategies Tool, an open-source resource designed to aid cyber defenders in creating tailored response plans and eviction strategies for cyber incidents. This tool, developed in collaboration with MITRE, includes a database of post-compromise countermeasures and a web-based application to match incident findings with these countermeasures. It aims to help defenders systematically evict adversaries from compromised systems and networks. The tool supports the creation of customized playbooks and integrates with the MITRE ATT&CK framework, providing over 100 atomic actions for incident responders. It is available under the MIT Open Source License, encouraging public and private sector organizations to incorporate it into their incident response plans.
Timeline
-
30.07.2025 15:00 π° 1 articles Β· β± 1mo ago
CISA releases Eviction Strategies Tool for cyber incident response
The Cybersecurity and Infrastructure Security Agency (CISA) has released the Eviction Strategies Tool, an open-source resource designed to aid cyber defenders in creating tailored response plans and eviction strategies for cyber incidents. This tool, developed in collaboration with MITRE, includes a database of post-compromise countermeasures and a web-based application to match incident findings with these countermeasures. It aims to help defenders systematically evict adversaries from compromised systems and networks.
Show sources
- CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response β www.cisa.gov β 30.07.2025 15:00
Information Snippets
-
The Eviction Strategies Tool includes COUN7ER, a database of atomic post-compromise countermeasures mapped to adversary tactics, techniques, and procedures (TTPs).
First reported: 30.07.2025 15:00π° 1 source, 1 articleShow sources
- CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response β www.cisa.gov β 30.07.2025 15:00
-
The tool features Cyber Eviction Strategies Playbook NextGen, a web-based application that matches incident findings with countermeasures from COUN7ER.
First reported: 30.07.2025 15:00π° 1 source, 1 articleShow sources
- CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response β www.cisa.gov β 30.07.2025 15:00
-
The tool supports the creation of response plans based on MITRE ATT&CK or free text describing threat actor activities.
First reported: 30.07.2025 15:00π° 1 source, 1 articleShow sources
- CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response β www.cisa.gov β 30.07.2025 15:00
-
The tool exports defensive measure options in various formats, including JSON, Microsoft Word, Excel, and markdown.
First reported: 30.07.2025 15:00π° 1 source, 1 articleShow sources
- CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response β www.cisa.gov β 30.07.2025 15:00
-
The tool builds on knowledge from MITRE D3FEND and MITRE ATT&CK frameworks.
First reported: 30.07.2025 15:00π° 1 source, 1 articleShow sources
- CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response β www.cisa.gov β 30.07.2025 15:00
-
The tool contains over 100 fully developed, researched, and curated atomic actions for incident responders.
First reported: 30.07.2025 15:00π° 1 source, 1 articleShow sources
- CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response β www.cisa.gov β 30.07.2025 15:00
-
The tool is available under the MIT Open Source License, encouraging collaboration and development.
First reported: 30.07.2025 15:00π° 1 source, 1 articleShow sources
- CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response β www.cisa.gov β 30.07.2025 15:00
Similar Happenings
Chinese State-Sponsored Actors Targeting Global Critical Infrastructure
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.
Citrix NetScaler ADC and Gateway vulnerabilities patched and actively exploited in the wild
Citrix has released patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway. One of these vulnerabilities, CVE-2025-7775, is actively exploited in the wild. The flaws include memory overflow vulnerabilities and improper access control issues. The vulnerabilities affect specific configurations of NetScaler ADC and NetScaler Gateway, including unsupported, end-of-life versions. Citrix has confirmed active exploitation of CVE-2025-7775, which can lead to remote code execution or denial-of-service. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate within 48 hours. Nearly 20% of NetScaler assets identified are on unsupported, end-of-life versions, with a significant concentration in North America and the APAC region. CISA lists 10 NetScaler flaws in its KEV catalog, with six discovered in the last two years. Threat actors are using HexStrike AI, an AI-driven security platform, to exploit the Citrix vulnerabilities, significantly reducing the time between disclosure and mass exploitation. HexStrike-AI was created by cybersecurity researcher Muhammad Osama and has been open-source and available on GitHub for the last month, where it has already garnered 1,800 stars and over 400 forks.
Static Tundra Exploits Cisco IOS Flaw for Cyber Espionage
The Russian state-sponsored cyber espionage group Static Tundra, also known as Berserk Bear, Blue Kraken, Castle, Crouching Yeti, Dragonfly, Ghost Blizzard, and Koala Team, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and Cisco IOS XE software to gain persistent access to target networks. The attacks target organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. The vulnerability, CVE-2018-0171, allows unauthenticated, remote attackers to execute arbitrary code or trigger a denial-of-service condition. The group, linked to the FSB's Center 16 unit, focuses on long-term intelligence gathering operations. The FBI and Cisco Talos have issued advisories warning about the ongoing exploitation of CVE-2018-0171 by Static Tundra. The FBI has observed FSB cyber actors exploiting SNMP and end-of-life networking devices running the unpatched vulnerability to target entities in the United States and globally. The attackers collect configuration files for thousands of networking devices and modify them to facilitate unauthorized access. They use custom tools like SYNful Knock to maintain persistence within victim networks. Static Tundra uses publicly-available scan data to identify systems of interest and sets up GRE tunnels to redirect traffic to attacker-controlled infrastructure. The group's activities are primarily focused on unpatched, end-of-life network devices to establish access on primary targets and facilitate secondary operations. The ongoing campaign highlights the importance of maintaining a current inventory of network infrastructure and prioritizing patching for end-of-life devices. The FBI has also warned about the group targeting US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The U.S. Department of State is offering up to $10 million for information on three FSB officers involved in cyberattacks targeting U.S. critical infrastructure.