January 22, 2024 by Rachel Lunt

Using the MITRE ATT&CK Framework to Strengthen Public Safety Cybersecurity

Like Like Views 2704 [analytify-stats metrics="ga:pageviews" permission_view=""]

Industries: 9-1-1 & Law Enforcement Fire & EMS

Topics: Cybersecurity

As cybercrime against public safety agencies continues to rise, it is more important than ever not only to take steps to defend your agency but also to understand how threat actors are operating. The Public Safety Threat Alliance (PSTA) recently published a report on the most common threats impacting public safety, top tradecraft used against public safety networks, and the most beneficial defensive measures agencies can take. This blog also shares how Here are some highlights from the report, which is now available to PSTA members.

2023 Threat Landscape Overview

Globally, cyber attacks against public safety increased by 64 percent in 2023, with the following countries and regions being significantly impacted:

  • Ransomware attacks on U.S. public safety organizations surged by 63% in 2023, driven by a 157% increase in the number of extortion groups conducting such attacks.
  • About half of attacks in the Asia-Pacific region specifically targeted government and military agencies.
  • Initial access brokers (IABs) were the number one threat to public safety in Latin America, making up 46 percent of cyber attacks.
  • 58 percent of all global hacktivist attacks impacted European nations (primarily due to the ongoing conflict in Russia and Ukraine).

Public safety compromises are at an all-time high. Extortion and Data theft attacks are frequently far-reaching and often disrupt mission-critical systems such as computer-aided dispatch (CAD), with examples of dispatchers forced to operate using pen and pencil as the result of attacks in 2023. The ever-growing threat of cyber attacks against public safety continues to show the importance of strengthening your organization’s cybersecurity program. A key way to prepare for these threats is to understand how threat actors operate, which tactics they prefer and how to avoid being vulnerable to those tactics. 

MITRE ATT&CK Framework Basics

The MITRE ATT&CK Framework is a knowledge base that uses real-world observations to define the tactics, techniques and procedures (TTPs) that threat actors use along the attack chain. The MITRE framework identifies over 800 TTPs, but the PSTA threat intelligence team observed threat actors employing only 21 percent of these TTPs against public safety organizations over the past 12 months. The PSTA has defined the top TTPs used against public safety agencies and how defenders can identify and block them. 

Credential Abuse

Credential abuse, or the use of valid accounts to gain access to networks, was the most common factor in public safety attacks this year. Threat actors use popular tools like Mimikatz to steal employee logins and access the network. Last year, 29 percent of threat actors used legitimate logins to access networks. 

Agencies can help to mitigate this risk by enforcing multi-factor authentication to prevent stolen logins from being used. Security teams should mandate regular password updates, ensuring they are changed from default settings.

Command and Scripting Interpreter

A popular attack method threat actors use is “living off the land,”, which is when attackers exploit systems and applications that are already on the network. With this particular type of TTP, attackers will often use existing command shells — a directive to a computer program to perform a specific task — to execute commands that allow them to install malware onto the network. 

Application code signing allows security teams to digitally sign commands to ensure that the code has not been altered or corrupted. Implementing this on your network is one way that you can prevent unwanted code execution. Defenders can also restrict the command shell language in use at the organization. Any command shells that are not necessary to your daily operations should be disabled.

Remote Desktop Protocol  

Remote Desktop Protocol (RDP) is the most commonly observed way that threat actors gain access to systems and then move deeper into the environment, known as lateral movement. Lateral movement and credential abuse often go hand in hand. Threat actors will use stolen or purchased credentials to log into numerous network points through RDP if enabled. 

RDP is not always necessary for day-to-day operations, so an easy way to mitigate the risk is to disable it within the network. If RDP is needed, agencies should monitor for anomalous logons and connections that can indicate that an outside party is using RDP to access your network, such as,

  • Windows event 4624 Logon Type 10, which only occurs when the system is being accessed through a separate system.
  • Connections over port 3389, which is used to facilitate RDP connections.
  • Newly created processes that create connections to RDP servers.

Public Facing Applications

Because threat actors are opportunistic, they will look to exploit networks that are easily accessible. Exploiting vulnerabilities is a top method that threat actors use to gain initial access to a system. Legacy systems that haven’t been updated typically have more vulnerable public-facing applications and are the number one target for these types of attacks. 

Agencies should ensure that all external-facing systems are routinely patched. Risks can also be mitigated by ensuring that systems connected to the internet are not exploitable via RDP or VPNs. If these services are crucial, then make sure that all security features are enabled.


The last few years have seen an ongoing increase in cyber attacks against public safety. New threat actors are consistently entering the landscape and adding new challenges and threats for public safety agencies to watch out for. Extortion remains the number one threat to public safety, but with the introduction of new threat actors, agencies need to be aware of other TTPs that are being used. The upward trend in cybercrime is expanding more globally as well. The continued and ever-growing threat of cybercrime enforces the need for a strong cybersecurity program. 

About the Public Safety Threat Alliance 

The Public Safety Threat Alliance (PSTA) is an information sharing and analysis organization (ISAO) established by Motorola Solutions and is recognized by the Cybersecurity and Infrastructure Security Agency (CISA). The PSTA regularly publishes research, such as the 2023 Public Safety Threat Report, shared with members. It also hosts regular webinars featuring our cybersecurity analysts and other experts. Joining the PSTA provides threat intelligence for member organizations at no cost.

Contact us to find out more about our solutions and services.

Contact Us

Leave a Comment