The Cybersecurity and Infrastructure Security Agency (CISA) is the U.S. government agency responsible for protecting the nation’s critical infrastructure from cyber and physical threats. CISA works with public and private sector partners to improve resilience, share threat intelligence, and coordinate national-level cyber defense efforts.
As part of this collaboration, Silent Push contributed research and insights that helped inform CISA’s latest publication, “Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers.” CISA, working with the NSA, FBI, DoD Cyber Crime Center, and several international cyber agencies, developed this guidance to address one of the most persistent enablers of cybercrime, where infrastructure is intentionally leased to malicious actors: Bulletproof hosting providers.
Why CISA’s Guidance Matters
CISA’s report highlights a core industry challenge. Systems that are unprotected or misconfigured increase the opportunity for threat actors to operate at scale. Bulletproof hosting infrastructure often blends into the broader internet, making it difficult for organizations to detect and contain.
CISA and its partners are encouraging Internet Service Providers (ISPs) and network defenders to adopt more proactive strategies for reducing the effectiveness of this infrastructure. Their recommendations include:
- Curating high-confidence lists of malicious internet resources
- Applying filters and blocking actions based on these lists
- Improving visibility into hosting infrastructure that repeatedly supports criminal operations
- Limiting the freedom of Bulletproof hosting providers to keep malicious resources online
The guidance was developed through the Joint Ransomware Task Force (JRTF), reflecting the growing connection between Bulletproof hosting and ransomware campaigns targeting critical sectors.
Our Perspective
This publication brings much-needed clarity to a problem that has long shaped cyber operations. Bulletproof hosting infrastructure enables cybercriminal activity by providing threat actors with a dependable foundation for their campaigns. When this infrastructure is identified and constrained, defenders gain more meaningful opportunities to reduce the scale and impact of emerging threats.
Our work focuses on helping defenders detect malicious resources early, track infrastructure changes, and understand the patterns behind these operations. Seeing this issue addressed directly by CISA and its international partners is an important step for the broader security community.
In our public research on “infrastructure laundering,” we detailed how malicious actors illicitly acquire IP addresses from major cloud providers and map them via CNAME chains to make sure their scam websites load quickly for victims, providing a practical example of the kind of Bulletproof hosting activity CISA’s guidance addresses. We are committed to helping defenders identify and disrupt malicious infrastructure before it fuels large-scale operations.
Looking Ahead with Preemptive Cyber Defense
Improving visibility into Bulletproof hosting providers and limiting their ability to support cybercriminal activity is a practical and impactful measure. If ISPs and network defenders implement the recommendations in CISA’s guidance, the operational environment for attackers becomes more restricted and more costly.
We appreciate the opportunity to contribute insights to this conversation and support efforts that strengthen proactive defense across the ecosystem.
