Winter SHIELD’s purpose is straightforward:
Help organizations understand what attackers target and provide a clear, realistic roadmap to reduce risk.
Cyber threats continue to evolve at a pace that challenges even the most mature organizations. In response, the FBI has launched Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) a set of the 10 most impactful actions organizations can take right now to strengthen their security posture.
Developed with input from domestic and international partners, Winter SHIELD uses lessons learned from recent investigations, from both adversary behavior and common defensive gaps. These recommendations support the goals outlined in the National Cyber Strategy and the FBI Cyber Strategy, emphasizing that industry is not a passive victim of cybercrime but an essential ally in defending the nation’s digital infrastructure.
By strengthening everyday practices across both information technology (IT) and operational technology (OT), Winter SHIELD aims to harden infrastructure and reduce exposure across the public and private sectors.
Winter SHIELD: 10 Actions to Improve Cyber Resilience
Below is a breakdown of the FBI’s recommended steps and why each one matters.
- Adopt phish-resistant authentication
Why it matters:
Password theft continues to be one of the most common paths into a network. Phish-resistant authentication methods like FIDO2 keys make it much harder for attackers to gain access.
- Implement a risk-based vulnerability management program
Why it matters:
Many breaches occur because known vulnerabilities remain unpatched. Clear ownership, defined remediation timelines, and strong processes reduce this risk dramatically.
- Track and retire end‑of‑life technology on a defined schedule
Why it matters:
Unsupported systems no longer receive security updates and become predictable targets for attackers.
- Manage third‑party risk
Why it matters:
Your security perimeter is only as strong as the vendors and partners who have access to your environment. Attackers often look for the weakest link.
- Protect security logs and preserve them for an appropriate time period
Why it matters:
Logs are often the first thing adversaries try to delete. Preserved logs are crucial for detection, response, and investigation.
- Maintain offline, immutable backups and test restoration
Why it matters:
Attackers frequently target backups early in an intrusion. Offline, unalterable backups and regular testing ensure resilience.
- Identify, inventory, and protect internet‑facing systems and services
Why it matters:
Unnecessary exposure creates low‑effort entry points attackers can quickly exploit.
- Strengthen email authentication and malicious content protections
Why it matters:
Email remains the number‑one entry point for intrusions and fraud. Better controls sharply reduce the risk.
- Reduce administrator privileges
Why it matters:
Wide, persistent admin access makes it easier for attackers to escalate privileges and move quickly through a network.
- Exercise your incident response plan with all stakeholders
Why it matters:
Organizations that practice response perform better when it matters, reducing downtime, cost, and overall impact.
A Shared Mission
Operation Winter SHIELD underscores a critical message: cybersecurity is a team effort. By following this roadmap, organizations can make meaningful progress toward stronger defenses and play an active role in helping protect the nation’s digital infrastructure.
