Cyber Resilience Campaign
Operation Winter SHIELD
Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) distills the FBI’s 10 most impactful actions organizations can take to improve resilience against cyber intrusions. These recommendations were developed with domestic and international partners and draw on recent investigations to reflect adversary behavior and defensive gaps.
This campaign ties directly to the National Cyber Strategy and the FBI Cyber Strategy and positions industry not as passive victims or recipients of intelligence but as critical allies alongside the FBI and our partners in detecting, confronting, and dismantling cyber threats.
Winter SHIELD provides industry with a practical roadmap to better secure information technology (IT) and operational technology (OT) environments, hardening the nation’s digital infrastructure and reducing the attack surface.
Our goal is simple: to move the needle on resilience across industry by helping organizations understand where adversaries are focused and what concrete steps they can take now (and build toward in the future) to make exploitation harder.
Roadmap to increased cyber resilience
Adopt phish-resistant authentication
Why: Many breaches start with stolen passwords. Phish-resistant methods make it significantly harder for attackers to gain access.
Learn more: Scattered Spider; North Korea Social Engineering Attacks; Implementing Phish-Resistant MFA; Cybersecurity Performance Goal 1.0-3.F: Implement MFA; Malware, Phishing, and Ransomware; Russian GRU Targeting Western Logistics Entities and Technology Companies
Implement a risk-based vulnerability management program
Why: Adversaries often exploit known vulnerabilities that remain unaddressed due to a lack of ownership, an undefined mitigation process, and unclear deadlines for resolution.
Learn more: Creating and Maintaining a Definitive View of your OT Architecture; Cyber Hygiene Services; Cybersecurity Performance Goal 2.0-2.B: Mitigate Known Vulnerabilities
Track and retire end-of-life technology on a defined schedule
Why: End-of-life systems no longer receive security updates and, as a result, are routinely targeted.
Learn more: Reducing the Attack Surface for End-of-Support Devices; Cyber Criminal Proxy Services Exploiting End of Life Routers; Cyber Criminal Services Target End-of-Life Routers to Launch Attacks and Hide Their Activities; Russian Government Cyber Actors Targeting Networking Devices; PRC-Linked Actors Compromise Routers and IoT Devices for Botnet Operations; Enhanced Visibility and Hardening Guidance for Communications Infrastructure
Manage third-party risk
Why: An organization’s security extends only as far as its least-protected vendor with network or data access. Adversaries often exploit these gaps to bypass stronger defenses.
Learn more: Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools; Secure by Design; Software Bill of Materials; #StopRansomware: Medusa; Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion
Protect security logs and preserve for an appropriate time period
Why: Reliable, preserved logs are essential for detection, response, and attribution. Adversaries often attempt to erase them.
Learn more: PRC State-Sponsored Cyber Actor Living off the Land to Evade Detection; Cybersecurity Performance Goal 2.0-3.Q: Maintain Log Collection & Storage; Logging Made Easy
Maintain offline immutable backups and test restoration
Why: Backups are routinely targeted early in intrusions; resilience depends on isolation and tested recovery.
Learn more: #StopRansomware: Akira; Cybersecurity Performance Goal 2.0-3.O: Maintain System Backups & Restoration Ability
Identify, inventory, and protect internet-facing systems and service
Why: Unnecessary exposure creates low-effort entry points for attackers.
Learn more: Primary Mitigations to Reduce Cyber Threats to Operational Technology; Foundations for OT Cybersecurity; #StopRansomware; Cybersecurity Performance Goal 2.0-2.A: Manage Organizational Assets; IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors; Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations; Pro-Russia Hacktivists Conduct Opportunistic Attacks Against U.S. and Global Critical Infrastructure
Strengthen email authentication and malicious content protections
Why: Email remains a favored initial access vector for intrusions and fraud.
Learn more: Phishing Guidance: Stopping the Attack Cycle at Phase One; North Korean Actors Exploit Weak DMARC Security Policies; Iranian Cyber Actors Targeting Personal Accounts to Support Operations; Silent Ransom Group Targeting Law Firms; Cybersecurity Performance Goal 2.0-3.L: Enable Email Security; Cybersecurity Best Practices
Reduce administrator privileges
Why: Broad, persistent administrative access enables rapid escalation when credentials are compromised.
Learn more: Product Security Bad Practices; The Com; Scattered Spider; Cybersecurity Performance Goal 2.0-3.G: Administrators Maintain Separate User and Privileged Accounts; #StopRansomware: Akira; Areas for Cyber Hygiene Improvement: Critical Infrastructure
Exercise your incident response plan with all stakeholders
Why: Practiced organizations respond faster, contain more effectively, and reduce impact.
Learn more: Partner with FBI Cyber; Incident Response Training; AI Data Security: Best Practices for Securing Data Used to Train and Operate AI Systems
Operation Winter SHIELD distills the FBI’s 10 most impactful actions organizations can take to improve resilience against cyber intrusions.
Key Cyber Defenses (Infographic)
FBI Cyber recommends ten steps to enhance cyber defense
Resources
No single entity can address the range of cyber threats alone. Partnering with your local FBI field office should be one of your business priorities. Visit www.fbi.gov/cyber/partnerships to learn more.
Throughout the campaign, information, products, and videos will be amplified on this page and via our social media channels. Follow FBI Cyber on LinkedIn and X to stay informed.
FBI Cyber’s Ahead of the Threat podcast features clear, usable insights from leaders across government and industry. Season 1 featured senior leaders from industry to discuss emerging cyber threats and the enduring importance of cybersecurity fundamentals. Season 2 continues this work featuring new leaders and topics.
- Season 2, Episode 1: John Hultquist, Google Threat Intelligence Group
- Season 2, Episode 2: John Hammond, Huntress
- Season 2, Episode 3: Amy Herzog, Amazon Web Services
- Season 2, Episode 4: Sherrod DeGrippo, Microsoft
- Season 2, Episode 5: Joe Levy, Sophos
- Season 2, Episode 6: Deneen DeFiore, United Airlines
- Season 2, Episode 7: Richard Thorne, National Cyber Security Centre