FireEye Stories

FireEye Success Story: Solutions and Strategies for Elections Part Three – The War Room

“Everybody has a plan until they get punched in the mouth.” — Mike Tyson

I love that quote, but I don’t think it means what most people assume it does. It doesn’t mean that all bets are off as soon as conflict starts—in fact, it is quite the opposite. It means that knowing what to do after you get hit can make all the difference. Having a plan is important, but being prepared for if/when that plan goes sideways is just as important. In other words, unintended events can (and do) disrupt plans; being prepared for these disruptions often becomes the decisive factor between success and failure.

In the previous entry in this blog series, we learned about the necessary preparation that Boards of Election have to routinely perform in order to protect themselves, leading up to the day of an election. Now, we will take a look at how FireEye works to protect elections on the day they occur, colloquially known as the “War Room”.

The Objective

The goal of the War Room during an election is to maintain real-time coordination across vital stakeholders and facets of the security apparatus charged with ensuring the integrity of the electoral process in case something bad happens. To do so, the War Room must have on-site representation from a large number of these key stakeholders, and immediate outreach capability to the rest of the players who have a hand in protecting the event.

If nothing unexpected occurs (a scenario for which we always hope) the War Room will stand up, serve its time, and disband without much notice. However, in the event that a cyber incident does occur, having all the pieces together to identify, isolate, and remediate it in one room is vital to ensure the fastest possible response.

Finally, clarity of message is important. The War Room must have the discipline to speak with one voice in order to mitigate any possible confusion. This voice will usually be the lead representative from the Board of Election who is dedicated to the War Room. Cyber events can be high-stress and dynamic affairs in any environment, creating fear, uncertainty, and doubt among those who are affected. Having a single message coming out of the security team is the best way to reduce this tendency toward confusion and ensure a rapid resolution.

The Composition

Election protection is a multi-faceted challenge. The War Room works by having eyes on as many of these facets as possible.  Representation should include the following:

  • BOE Security Liaison (with decision-making authority)—This person has the ability and power to make difficult calls concerning the Board’s infrastructure, if the need arises. This person is the most important contributor to the War Room’s success. They should be designated by the BOE Executive Team, and will be the mouthpiece for the War Room.
  • FireEye Coordination and Watch Lead—This person is the prime contact and senior authority from FireEye in the War Room. Whether this individual is a Director, CISO Support Role, or holds a different role in program management with regard to the election protection effort, this person has the ability to make decisions on behalf of FireEye when decisions are required. The Watch Lead works hand-in-hand with the BOE Security Liaison, serving as a senior advisor and the first point for escalation for the BOE within the FireEye organization.
  • Managed Security Service Liaison—Boards of Election, like many other organizations, deploy multiple security service solutions. FireEye Managed Defense may be required to work side by side with one (or several) other third-party solutions. Ensuring a free election is a mission that requires all third parties to work in sync, and not be burdened with petty squabbles or misalignments. The FireEye Managed Defense technology-agnostic approach allows them to assume this role of coordinator and liaison for the BOE’s managed security services.
  • Incident Response Lead—Having someone at the ready who can jump into the role of Incident Commander or Triage Lead if the need arises is vital. This person can be from the BOE, FireEye Mandiant, or another source. Regardless of where they come from, they should have the experience and skill required to initiate a hunt for evil on the BOE’s network, and they should be an expert in using the tools deployed.
  • Intelligence Analyst—Actionable intelligence can be the difference between getting out in front of a problem and preventing it from escalating, or being forced to play catch-up on a major incident. Having a War Room intelligence analyst room that has familiarized the BOE’s intelligence requirements is a key part of a full-spectrum protection effort. This person should cover multiple platforms and facets including, but not limited to, social media, dark web, third-party intelligence parties such as FireEye Intelligence, legitimate news media, and others.
  • Malware Reverse Engineer—Simply put, if a reverse engineer is needed in the moment, it is far better to have one at the ready than be forced to spend time looking for one. They are highly specialized, fulfill a massively important role in investigating malware, and are extremely tough to come by if you don’t know where to look. The FireEye FLARE Team employs some of the most capable and versatile reverse engineers in the industry.
  • Technology and Engineering Support—The unsung heroes of the War Room! Support can help run down issues with any technology deployed in order to protect the BOE’s environments, of which there will more than likely be a few. Also, having support that is versatile in the technologies deployed can be the difference between spinning up a major incident and identifying a false positive. The importance of having a capable support individual, or team such as FireEye D&I, cannot be stressed enough when it comes to a successful election War Room.
  • External Partner Representation—Election protection is a massive joint effort, and Boards of Election have many resources at their disposal, even outside the security industry. These include public sector allies in the fight such as local law enforcement, DHS, FBI, EI-ISAC, MS-ISAC, USCC, and other city / state entities. It also includes partners with entities from social media and the private sector such as Facebook, Twitter, Google, and ISPs (e.g., Verizon, AT&T).

Note that in many cases, having all of these people immediately in the room is not feasible—not every Board of Election has the space to facilitate such a group. Deciding who from this group should be physically present versus who can be remote is something that should be worked out in advance. At a minimum, the BOE Security Liaison, FireEye Coordination and Watch Lead, and Technology and Engineering Support should be physically present. One additional factor to consider is the type of election. Larger elections with increased attention will require larger teams with in-person presence. Smaller contests may only need a subset of this larger team.

The Tasks

Now that we know the facets that make up the War Room, what should they do? War Room activities include ensuring that technologies such as FireEye Endpoint Security, Email Security, and Network Security that are meant to protect key election infrastructure at Boards continue to be properly deployed, actively monitored, and allow for hunting for threats in the environment. The status of key security technologies should be closely tracked, and outages or issues dealt with rapidly.

Incident Monitoring, Triage, and Response individuals should monitor key security tools and log sources (typically through a unified SIEM platform such as FireEye Helix), and provide updates and escalations if/when they are needed. It is vital that all events be thoroughly triaged to avoid false alarms and unnecessary escalations.

The War Room should report the status of the threat environment that all of the various facets cover throughout the day on a steady cadence. Additionally, the reporting structure should be in place in the event of a cyber incident, if the need arises. These reports should be given by the designated “voice” of the War Room, as previously mentioned. Such reports will typically be shared by email to all internal and external stakeholders.


If you agree with me that Tyson’s quote means you need to be prepared, then it could be said that the United States electoral process was punched in the face three years ago, and we were proven to have a glass jaw. The efforts to undermine the 2016 presidential election were seen as an unmitigated success by those who perpetrated them. Put simply, we did not know how to respond. Our plan collapsed.

Today, we know that adversaries are setting their sights on our elections again. Preparing our defenses (as discussed in our previous blog post) is like strengthening that jaw, and a robust War Room is our ability to stave off that attack by holding true to a disciplined defense. It is our counterpunch.