NSA’S Top Ten Cybersecurity Mitigation Strategies
NSA’s Top Ten Mitigation Strategies counter a broad range of exploitation techniques used by Advanced
Persistent Threat (APT) actors. NSA’s mitigations set priorities for enterprise organizations to minimize mission impact.
The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a
defense-in-depth security posture. The mitigation strategies are ranked by effectiveness against known APT tactics.
Additional strategies and best practices will be required to mitigate the occurrence of new tactics.
1. Update and Upgrade Software Immediately
Apply all available software updates, automate the process to the extent possible, and use an update service
provided directly from the vendor. Automation is necessary because threat actors study patches and create exploits,
often soon after a patch is released. These “N-day” exploits can be as damaging as a zero-day. Vendor updates must
also be authentic; updates are typically signed and delivered over protected links to assure the integrity of the content.
Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.
2. Defend Privileges and Accounts
Assign privileges based on risk exposure and as required to maintain operations. Use a Privileged Access
Management (PAM) solution to automate credential management and fine-grained access control. Another way to
manage privilege is through tiered administrative access in which each higher tier provides additional access, but is
limited to fewer personnel. Create procedures to securely reset credentials (e.g., passwords, tokens, tickets). Privileged
accounts and services must be controlled because threat actors continue to target administrator credentials to access
high-value assets, and to move laterally through the network.
3. Enforce Signed Software Execution Policies
Use a modern operating system that enforces signed software execution policies for scripts, executables, device
drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of
illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system
integrity. Application Whitelisting should be used with signed software execution policies to provide greater control.
Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded
4. Exercise a System Recovery Plan
Create, review, and exercise a system recovery plan to ensure the restoration of data as part of a comprehensive
disaster recovery strategy. The plan must protect critical data, configurations, and logs to ensure continuity of operations
due to unexpected events. For additional protection, backups should be encrypted, stored offsite, offline when possible,
and support complete recovery and reconstitution of systems and devices. Perform periodic testing and evaluate the
backup plan. Update the plan as necessary to accommodate the ever-changing network environment. A recovery plan is
a necessary mitigation for natural disasters as well as malicious threats including ransomware.
5. Actively Manage Systems and Configurations
Take inventory of network devices and software. Remove unwanted, unneeded or unexpected hardware and
software from the network. Starting from a known baseline reduces the attack surface and establishes control of the
operational environment. Thereafter, actively manage devices, applications, operating systems, and security
configurations. Active enterprise management ensures that systems can adapt to dynamic threat environments while
scaling and streamlining administrative operations.
6. Continuously Hunt for Network Intrusions
Take proactive steps to detect, contain, and remove any malicious presence within the network. Enterprise
organizations should assume that a compromise has taken place and use dedicated teams to continuously seek out,
contain, and remove threat actors within the network. Passive detection mechanisms, such as logs, Security Information
and Event Management (SIEM) products, Endpoint Detection and Response (EDR) solutions, and other data analytic
capabilities are invaluable tools to find malicious or anomalous behaviors. Active pursuits should also include hunt
operations and penetration testing using well documented incident response procedures to address any discovered
breaches in security. Establishing proactive steps will transition the organization beyond basic detection methods,
enabling real-time threat detection and remediation using a continuous monitoring and mitigation strategy.
7. Leverage Modern Hardware Security Features
Use hardware security features like Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform
Module (TPM), and hardware virtualization. Schedule older devices for a hardware refresh. Modern hardware features
increase the integrity of the boot process, provide system attestation, and support features for high-risk application
containment. Using a modern operating system on outdated hardware results in a reduced ability to protect the system,
critical data, and user credentials from threat actors.
8. Segregate Networks Using Application-Aware Defenses
Segregate critical networks and services. Deploy application-aware network defenses to block improperly formed
traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection based on known-
bad signatures is quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide
malicious actions and remove data over common protocols, making the need for sophisticated, application-aware
defensive mechanisms critical for modern network defenses.
9. Integrate Threat Reputation Services
Leverage multi-sourced threat reputation services for files, DNS, URLs, IPs, and email addresses. Reputation
services assist in the detection and prevention of malicious events and allow for rapid global responses to threats, a
reduction of exposure from known threats, and provide access to a much larger threat analysis and tipping capability than
an organization can provide on its own. Emerging threats, whether targeted or global campaigns, occur faster than most
organizations can handle, resulting in poor coverage of new threats. Multi-source reputation and information sharing
services can provide a more timely and effective security posture against dynamic threat actors.
10. Transition to Multi-Factor Authentication
Prioritize protection for accounts with elevated privileges, remote access, and/or used on high value assets.
Physical token-based authentication systems should be used to supplement knowledge-based factors such as passwords
and PINs. Organizations should migrate away from single factor authentication, such as password-based systems, which
are subject to poor user choices and susceptible to credential theft, forgery, and reuse across multiple systems.