The growing presence of cyber threats to elections has resulted in many election organizations scrambling to develop security strategies involving people, processes and technology. When developing these security strategies, organizations should consider a three-part timeline that begins with pre-election preparedness, then shifts to what we call war room activities, and finishes with post-election improvement in order to prepare for the next rounds of election activities. FireEye has successfully assisted customers with developing such mitigation strategies, and also with introducing holistic solutions to ensure those people, processes, and technology are all used in unison. FireEye Managed Defense, FireEye Threat Intelligence, and FireEye Mandiant consulting services are regularly used to protect our election customers.
This blog post provides a general overview of what organizations should be considering at each of the three parts in the election security strategy timeline. We will go into more depth about each section in future blog installments. Also, read our recent blog post for more information on the types of threats to elections FireEye has been observing.
Pre-election efforts can be as specific as ensuring that supply chain vulnerabilities are monitored so that voting devices are not vulnerable. FireEye provides proactive protection ahead of elections by implementing FireEye technology and ensuring all levels of personnel are trained. We also ensure staff are informed about the escalation processes based on the severity of various potential security incidents. This visibility includes having FireEye Endpoint Security protection on all capable devices, including registration devices (e.g., tablets), workstations for business operations, and servers supporting transferring of files and other business functions surrounding the election. Additionally, having device asset and overall network visibility is crucial, as nearly all FireEye election customers have devices that are used on a very irregular basis. For example, they may use a device only for the week leading up to an election or just on the day of the election, and then not use it again until the next election. Other preparations that are also commons include, but are not limited to, developing trifolds to be used by personnel who staff election voting locations. Additionally, holding tabletop exercises with executives ensures that senior leaders are prepared to react in the event of a cyber crisis.
War Room Activities
War room activities can include ensuring the upkeep of deployed technology, active monitoring, and threat hunting as needed. One of the ways FireEye helps organizations is by providing CISO advisory services and hourly reporting to executive leadership, which is based on FireEye Threat Intelligence sources and also what is being seen across the entire FireEye election customer base. Rogue device detection is very important as there are often devices added to the network for a custom purpose, such as statistical analysis of preliminary votes, and possibly only used on election days. Mapping all domain naming service requests to the source host is crucial in the event of an infection. When using FireEye Managed Defense and Mandiant consultants, monitoring scanning activities against external interfaces ensures visibility. Additionally, constant intelligence communication between state, local, and federal government agencies worldwide in concert with FireEye Threat Intelligence ensures that hunters are checking for the latest indicators of compromise.
FireEye uses a structured and methodical approach to continually build election customers into mature organizations prepared for any threat and situation. FireEye post-election activities often include after action reviews of the hourly updates from the election day war room activities. After action items should be addressed as soon as possible and tracked formerly to ensure that any missteps or near misses are not repeated in the next election. Additionally, technology gaps identified such as network visibility or asset management should be assigned an owner, prioritized and actioned many weeks prior to the next election. Furthermore, in the event of a compromise, the infection vector (or patient zero) should be determined, and actions taken to prevent future infections.
Overall, having an ongoing and holistic program has resulted in FireEye election customers being more informed and protected, and better able to respond to the latest cyber threats. The combination of FireEye services, personnel and technologies empowers our election customers to continually evolve as election threats evolve and attackers change their tactics, techniques and procedures. We will have more information in future blog posts, so stay tuned!