Election Security Spotlight – Cyber Threat Indicator Sharing

What it is:

Cyber threat indicator sharing is the practice of exchanging actionable threat intelligence between organizations. The information shared comes in the form of cyber threat indicators, which may include details about anomalous network traffic, a malicious IP address , a specific threat actor, behavioral patterns, or any other piece of data that can be used to identify malicious activity on a network . Indicator sharing methods range from fully automated software to more manual efforts, even as simple as email distribution lists, with the goal of disseminating actionable information in a timely manner. STIX™ and TAXII™ are open-source standards to facilitate indicator sharing processes:

  • Structured Threat Information eXpression (STIX™) is a common language used to communicate indicators effectively.
  • Trusted Automated eXchange of Indicator Information (TAXII™) provides a framework for the transmission of indicators between systems. TAXII™ is used to transmit STIX™, but can be used with other data formats as well.

Why does it matter:

Indicator sharing programs allow election offices to maintain visibility into ongoing cyber threats and quickly integrate them into defensive tools. While elections take place across multiple jurisdictions, malicious actors often reuse tactics and techniques. Lessons learned from an initial incident in one area and then shared have the power to stop cyber attacks elsewhere before more damage is done.

Threat detection and prevention, important elements of any defense in depth strategy , are also dependent on the specific, verifiable, and actionable information available through indicator sharing. The widespread exchange of threat intelligence, enables installation of basic and effective safeguards, such as firewall rules or email filtering. Automated indicator sharing tools can improve the speed and consistency of an organization’s threat intelligence processing. Many automated tools keep security controls on devices up-to-date without requiring manual review. For example, if an election office participating in an indicator sharing program is compromised and manually shares the malicious IP address of the attacker, other election offices participating could then immediately transfer that IP address from the shared indicator directly into a firewall block list, potentially preventing the same attack in a matter of seconds.

Standardized and automated indicator sharing enables large volumes of data to be analyzed for context to investigate broader trends associated with various indicators. By corroborating incidents with existing intelligence, analysts can use shared indicators to identify threat actors, attack campaigns, malicious strategies, and new malware technologies. This research makes it possible to build a greater understanding of the election threat landscape by identifying indicators specifically targeting election infrastructure as opposed to more opportunistic threats.

What you can do:

The EI-ISAC encourages election offices to participate in cyber threat indicator sharing. While there are multiple ways to share and receive cyber threat indicators, election offices should establish standards associated with contributing to a sharing network, including how to ingest information, when to share, what information to share, and what tools or platforms to leverage.

Indicators used in defensive solutions should be kept up-to-date, as some indicators contain dynamic information (such as IP addresses, file names, or domain names) that can expire over time as an attacker updates and adapts. Blocking these out of date indicators may result in blocking legitimate network traffic. Election offices should consider a few additional factors when participating in indicator sharing:

  • Confidence levels: Indicators are shared with a level of confidence as to whether or not they are malicious. Election offices may want to consider blocking higher confidence indicators, while only monitoring lower confidence indicators as they may not be truly malicious.
  • Shared Infrastructure: Some indicators may be associated with infrastructure that is shared across a wide range of users. For example, blocking an IP address belonging to a hosting provider may result in blocking legitimate activity in addition to the malicious activity associated with that IP address. Election offices should investigate the IP address to see if there is legitimate activity in addition to the malicious activity when deciding whether to block traffic or monitor for malicious activity.
  • Context: Indicators are often shared without context due to confidentiality concerns. This can impede the ability to identify associated trends or properly act on those indicators.

To mitigate these concerns, security programs can review both indicators shared and indicators received against public IP blacklists, DNS records, malware signatures, and other unique identifiable information to ensure consistency across a range of threat intelligence sources.

The EI-ISAC provides a platform for election officials getting started with indicator sharing. Anomali ThreatStream allows members to contribute their own indicators, report encounters with an existing entry, and receive relevant threat reports in real time. All EI-ISAC members have access to an unlimited number of analyst-level accounts. To get started with Anomali, visit https://www.anomali.com/learn/ei-isac . Members also can access our Weekly IP and Domain list through an automated service to ingest indicators into perimeter devices from several major providers by contacting [email protected].