Under the live pilot on active government systems, Louisiana, Massachusetts, Texas, the state of Arizona and Maricopa County, Arizona, together with the Multi-State Information Sharing and Analysis Center (MS-ISAC), effectively flagged indicators of a cyberattack and rapidly blocked traffic to and from threatening IP addresses, domains and files across the shared network markedly faster than current manual processes.
Led by the Johns Hopkins University Applied Physics Laboratory (APL) in Laurel, Maryland, the one-year trial, “Indicators of Compromise Automation Pilot,” was funded by a grant from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the four states and the CISA-funded MS-ISAC, a key U.S. cybersecurity resource for state, local, tribal and territorial (SLTT) governments.
During the pilot, one participating state received threat information fast enough to preemptively block and protect its network from 270,000 attacks on the day the source was first observed, and from half a million attacks over multiple days.
Sharing information at this speed across state lines defended government systems from a range of attacks, including malware, ransomware and spear phishing.
“Too often, state and local governments learn of an attack after it has infiltrated their systems,” said APL’s Charles Frick, the pilot’s principal investigator. “The new automated feed not only delivers actionable cyber threat intelligence and successful defense, but it also frees up network security personnel to address the most complex cyber threats.”
The pilot feed may serve as a model for other states and local governments to quickly and easily augment their cyber defense capabilities. MS-ISAC is working with CISA and APL to make the feed more consumable and is preparing to offer it to its members across the nation. The pilot feed remains available to the states that participated in the pilot and is in active use for cyber defense.
The pilot builds on previous APL research and testing in critical infrastructure industries that demonstrated that automated information sharing can shore up cyber defenses by drastically reducing response time, using a process called the Integrated Adaptive Cyber Defense (IACD) framework developed by APL.
The “Indicators of Compromise Automation Pilot” applied security orchestration, automation and response (SOAR) tools that collect threat data from multiple sources and perform automated triage response dramatically faster than manual processes. The trial’s key goals were to integrate end-to-end cyber defense responses from sensing to acting within minutes as well as to define consistent procedures and information sharing across state and local governments.
The new automated feed is “low regret,” meaning a government agency can allow the automatic blocking of an indicator of compromise with confidence that it poses a malicious threat and near certainty that the automated block will not disrupt operations.
Frick added that the successful technique used in the pilot could be modeled to protect infrastructure across other sectors, including financial services, transportation, energy and more.
With the one-year pilot, APL collected a large amount of data and results to make available as industry guides and best practices to impacted sectors, including state and local governments and the critical infrastructure community.
About the Partners
CISA
CISA is the nation’s risk advisor, working with partners to defend against threats and collaborating to build more secure and resilient infrastructures.
APL
For more than 75 years, the Applied Physics Laboratory, a not-for-profit division of the Johns Hopkins University, has met critical national challenges through the innovative application of science and technology. APL has integrated more than 50 commercially available security and information technology management products, information feeds and cybersecurity services into the IACD framework. Most recently, the Laboratory provided technical assistance and consultation to the first financial institution implementation of IACD.
Arizona
Within Arizona’s Department of Administration, the Arizona Strategic Enterprise Technology program’s mission is to deliver forward-thinking and secure IT solutions to state agencies by putting the customer first, offering world-class services and focusing on value, not cost.
Maricopa County, Arizona
Maricopa County’s Office of Enterprise Technology (OET) provides enterprise infrastructure and application support that allows the county to effectively operate on a daily basis. OET also provides IT consulting as a trusted advisor to over 30 county departments.
Louisiana
The Office of Technology Services functions as the centralized provider of IT support services for executive cabinet agencies of state government and is designated as the sole authority for information technology procurement.
Massachusetts
The mission of the Massachusetts Executive Office of Technology Services and Security (EOTSS) is to provide secure and quality digital information, services and tools to customers and constituents when and where they need them. EOTSS offers responsive digital services and productivity tools to more than 40,000 state employees as well as digital services and tools that enable taxpayers, motorists, businesses, visitors, families and other citizens to do business with the commonwealth in a way that makes every interaction with government easier, faster and more secure.
Texas
Both the Texas Department of Information Resources (DIR) and Department of Public Safety (DPS) are participating in the SLTT IOC automation pilot. DIR serves the Texas government by leading the state’s technology strategy, protecting state technology infrastructure and offering innovative and cost-effective solutions for all levels of government. DPS’s mission is to proactively protect the citizens of Texas in an ever-changing threat environment while always remaining faithful to the U.S. and state constitution.
MS-ISAC
MS-ISAC, managed by the Center for Internet Security, is the focal point for cyber threat prevention, protection, response and recovery for the nation’s SLTT governments. The mission of MS-ISAC is to improve the overall cybersecurity posture of SLTT governments. Collaboration and information sharing among members, the U.S. Department of Homeland Security and private-sector partners are the keys to success.