FBI launches cyber resilience push with 10 defensive actions

The bureau is urging organizations to adopt practical security measures based on recent intrusion patterns.

What happened

The Federal Bureau of Investigation has launched a new initiative, Operation Winter SHIELD, directed at strengthening cyber resilience across industry, government, and infrastructure. The campaign aligns with the National Cyber Strategy and the FBI Cyber Strategy, which frame public and private organizations as shared partners in identifying and disrupting cyber threats. As part of the rollout, the FBI issued ten recommended actions designed to address security gaps frequently observed during cyber incident investigations and to reduce opportunities for exploitation.

Going deeper

Operation Winter SHIELD focuses on measures that the FBI says have the greatest impact on preventing intrusions or limiting damage when attacks succeed. The recommendations are rooted in patterns seen during investigations, including credential theft, exploitation of unpatched systems, misuse of administrative access, and poor visibility due to missing or deleted logs. The guidance applies to both information technology and operational technology environments and focuses on reducing exposure rather than relying on single-point controls. The FBI said it will publish additional details on each recommendation over the coming weeks to help organizations prioritize implementation based on risk and operational maturity.

What was said

The FBI said Operation Winter SHIELD “distills the FBI’s 10 most impactful actions organizations can take to improve resilience against cyber intrusions.” The bureau noted the guidance was developed with domestic and international partners and “draws on recent investigations to reflect adversary behavior and defensive gaps.”

The document states that many intrusions succeed because “adversaries often exploit known vulnerabilities that remain unaddressed,” and because “many breaches start with stolen passwords,” a pattern frequently linked to phishing and credential theft.

On recovery planning, the FBI warned that “backups are routinely targeted early in intrusions,” and said resilience depends on isolation and verification. The guidance advises organizations to “maintain offline, immutable backups and test restoration” as a standard practice.

The handout also addresses incident response readiness, stating that “practiced organizations respond faster, contain more effectively, and reduce impact,” and advising organizations to “exercise your incident response plan with stakeholders,” including leadership teams and law enforcement contacts.

In the know

The FBI’s cyber resilience push comes alongside several recent enforcement and warning actions. Earlier this year, the Federal Bureau of Investigation seized the RAMP cybercrime forum, a platform used by ransomware groups and access brokers to buy and sell stolen credentials and network access. The bureau has also issued fresh warnings about account takeover scams and phishing campaigns, including fake websites posing as the FBI’s IC3 reporting portal. Taken together, these moves show the FBI pairing disruption efforts with practical guidance directed at stopping attacks earlier in the cycle.

The big picture

CISA’s 2024 Year in Review shows that federal incident response teams continue to run into the same weaknesses during investigations, even as cyber activity increases. The agency said many of the cases it supported involved long-standing issues rather than new attack techniques, with outcomes shaped by how well organizations handled access controls, system visibility, and recovery once an intrusion occurred.

Those findings line up with the focus of the FBI’s Operation Winter SHIELD campaign. Rather than centering on new threat trends, the bureau’s guidance concentrates on controls it repeatedly finds missing or poorly implemented during investigations. Together, the documents point to a common government view that resilience depends less on stopping every intrusion and more on limiting how much damage occurs after access is gained.

FAQs

What is Operation Winter SHIELD?

It is an FBI-led initiative designed to improve cyber resilience by promoting practical security actions based on real-world intrusion investigations.

Who should follow the FBI’s recommendations?

The guidance applies to private companies, government agencies, and operators of infrastructure, regardless of size or sector.

Why does the FBI focus so heavily on phishing and credentials?

Credential theft remains one of the most common entry points for attackers and often enables rapid escalation once access is gained.

Are the ten actions mandatory?

No. The recommendations are advisory, but they display controls the FBI frequently finds missing or weak during investigations.

What should organizations do first?

They should assess which recommendations address their highest risk areas, confirm visibility into internet-facing systems, and ensure recovery plans are tested and understood across teams.