JCDC Success Stories
In its short history, JCDC has unified cyber defense between industry and government to improve information sharing, planning efforts for large-scale cyber events, and collaborating on enhanced cyber threat guidance. This collaboration has allowed us to enhance the way government and industry work together to coordinate on cyber operations, ensuring that actions are informed and actionable. Examples include improving information sharing and threat mitigation, coordinating on cyber playbooks, expediting updates to the Known Exploited Vulnerabilities Catalog, as well jointly developing alerts and advisories to better inform and protect the cyber community on cyber threats and vulnerabilities, threat actor tactics, and detection and mitigation guidance.
See below to learn about other notable examples of JCDC’s operational collaboration leading to real insight and action.
JCDC participants shared valuable feedback on CISA’s joint Secure by Design product, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.” This collaborative product incorporated inputs from hundreds of JCDC participants, including individuals, companies, and trade associations, and JCDC participants who attended a JCDC focus group at DEFCON 2023. Initially published in April 2023, this product was one of 254 unique CISA products shared with JCDC participants and international partners in 2023.
In October 2023, CISA and 17 other U.S. and international organizations, including the Federal Bureau of Investigation (FBI) and National Security Agency (NSA), published an updated version, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” The updated version included contributions from multiple JCDC participants and emphasized the need to prioritize designing security measures during the initial development process of widely used software. JCDC participants, together with CISA, are actively involved in promoting a cultural shift within the industry to emphasize building robust technology products to reasonably protect against malicious cyber actors’ attempts at gaining access to devices, data, and connected infrastructure. This product is an example of JCDC’s dedication to joint enrichment and development of timely cybersecurity guides, advisories, and alerts to benefit cybersecurity experts, cybersecurity organizations, and the broader community.
Since July 2023, JCDC participants, including Mandiant, Shadowserver, GreyNoise, ZeroFox, and IBM Security X-Force, have provided continuous insight into post-exploitation activity of the NetScaler (formerly Citrix) Application Delivery Controller and NetScaler Gateway vulnerability (CVE-2023-3519).
Recognizing the importance of open multi-directional communication, CISA established real-time information sharing with industry partners possessing advanced insight into exploitation of the vulnerability. JCDC participants shared numerous detection methods; threat actor tactics, techniques, and procedures; and indicators of compromise. CISA then consolidated and shared those details with federal, state, local, tribal, and territorial governments, as well as international partners, to assist their response efforts.
As a result of the initial information-sharing efforts, many JCDC participants shared additional associated technical information that CISA was then able to amplify and enrich. CISA also used this information to update Cybersecurity Advisory Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells with the new information to assist cyber defenders with detecting and responding to this malicious activity.
Between 2021 and 2022, CISA recognized an emerging Chinese APT campaign impacting state, local, tribal, and territorial (SLTT) partners, with the actors employing the use of common tactics, techniques, and procedures. CISA collaborated with affected SLTT government organizations and JCDC members to better understand the nature of the activity and identify multiple zero-day vulnerabilities used as initial intrusion vectors. CISA also acted as a broker to share timely and actionable network defense information among JCDC members and SLTT governments. This broader perspective enabled multiple SLTT governments to locate and respond to associated intrusion activity while supporting JCDC members’ understanding of the same. Finally, CISA collaborated with SLTT organizations and JCDC members, including interagency partners, to develop two network defense advisories based on this activity and share with JCDC members and SLTT partners.
With the approach of the 2022 midterm elections, JCDC has ramped up efforts to support the CISA elections security mission via a range of events, resources, and synchronized communications and operations for the duration of the election season. In August 2022, CISA worked with JCDC members to release a new toolkit of free services and tools to help enhance the cybersecurity and cyber resilience of U.S. election infrastructure. The toolkit includes free tools, services, and resources provided by CISA, JCDC members, and others across the cybersecurity community. The toolkit offers stakeholders—including state and local government officials, election officials, and vendors—resources to protect themselves against common cyber threats like phishing, ransomware, and distributed denial-of-service attacks.
In July 2022, JCDC coordinated the response to a high-visibility, high-priority international event: an intrusion into the network of the Albanian National Agency for Information Society (AKSHI), which is Albania’s national Computer Emergency Response Team (CERT). After learning of the compromise, JCDC engaged with AKSHI and U.S. federal partners to learn more about the incident and determine next steps. AKSHI shared indicators of compromise (IOCs) and malware samples with JCDC and granted JCDC permission to further share the IOCs and samples with trusted industry partners, including JCDC member companies. JCDC members, in turn, shared helpful analysis back with AKSHI. JCDC also connected Albania with partners at Twitter and Discord to remove content posted by the AKSHI network intruders from the social media platforms. This incident demonstrates the power of JCDC’s public-private partnerships model to provide a foreign government with quick and comprehensive expert analysis and incident response guidance.
Recognizing the need to further increase U.S. government focus on the cybersecurity and resilience of industrial control systems (ICS), CISA recently expanded JCDC to form JCDC-ICS. JCDC-ICS includes ICS industry experts, 10 new companies—including security vendors, integrators, and distributors—and two current JCDC partners with experience in ICS and operational technology (OT).
JCDC-ICS leverages the knowledge, visibility, and capabilities of the ICS community to build plans around the protection and defense of control systems; inform U.S. government guidance on ICS/OT cybersecurity; and contribute to operational fusion across private and public partners in the ICS/OT space.