December 3, 2020
A new automated data feed that helps defend state and local government computer systems from cyberattacks and rapidly blocks threats across state lines reduced cyber defense time from some three days to less than three minutes in a successful pilot program across four states.
Under the live pilot on active government systems, Louisiana, Massachusetts, Texas, the state of Arizona and Maricopa County, Arizona, together with the Multi-State Information Sharing and Analysis Center (MS-ISAC), effectively flagged indicators of a cyberattack and rapidly blocked traffic to and from threatening IP addresses, domains and files across the shared network markedly faster than current manual processes.
Led by the Johns Hopkins University Applied Physics Laboratory (APL) in Laurel, Maryland, the one-year trial, “Indicators of Compromise Automation Pilot,” was funded by a grant from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the four states and the CISA-funded MS-ISAC, a key U.S. cybersecurity resource for state, local, tribal and territorial (SLTT) governments.
During the pilot, one participating state received threat information fast enough to preemptively block and protect its network from 270,000 attacks on the day the source was first observed, and from half a million attacks over multiple days.
Sharing information at this speed across state lines defended government systems from a range of attacks, including malware, ransomware and spear phishing.
“Too often, state and local governments learn of an attack after it has infiltrated their systems,” said APL’s Charles Frick, the pilot’s principal investigator. “The new automated feed not only delivers actionable cyber threat intelligence and successful defense, but it also frees up network security personnel to address the most complex cyber threats.”
The pilot feed may serve as a model for other states and local governments to quickly and easily augment their cyber defense capabilities. MS-ISAC is working with CISA and APL to make the feed more consumable and is preparing to offer it to its members across the nation. The pilot feed remains available to the states that participated in the pilot and is in active use for cyber defense.
The pilot builds on previous APL research and testing in critical infrastructure industries that demonstrated that automated information sharing can shore up cyber defenses by drastically reducing response time, using a process called the Integrated Adaptive Cyber Defense (IACD) framework developed by APL.
The “Indicators of Compromise Automation Pilot” applied security orchestration, automation and response (SOAR) tools that collect threat data from multiple sources and perform automated triage response dramatically faster than manual processes. The trial’s key goals were to integrate end-to-end cyber defense responses from sensing to acting within minutes as well as to define consistent procedures and information sharing across state and local governments.
The new automated feed is “low regret,” meaning a government agency can allow the automatic blocking of an indicator of compromise with confidence that it poses a malicious threat and near certainty that the automated block will not disrupt operations.
Frick added that the successful technique used in the pilot could be modeled to protect infrastructure across other sectors, including financial services, transportation, energy and more.
With the one-year pilot, APL collected a large amount of data and results to make available as industry guides and best practices to impacted sectors, including state and local governments and the critical infrastructure community.
CISA is the nation’s risk advisor, working with partners to defend against threats and collaborating to build more secure and resilient infrastructures.
For more than 75 years, the Applied Physics Laboratory, a not-for-profit division of the Johns Hopkins University, has met critical national challenges through the innovative application of science and technology. APL has integrated more than 50 commercially available security and information technology management products, information feeds and cybersecurity services into the IACD framework. Most recently, the Laboratory provided technical assistance and consultation to the first financial institution implementation of IACD.
Within Arizona’s Department of Administration, the Arizona Strategic Enterprise Technology program’s mission is to deliver forward-thinking and secure IT solutions to state agencies by putting the customer first, offering world-class services and focusing on value, not cost.
Maricopa County’s Office of Enterprise Technology (OET) provides enterprise infrastructure and application support that allows the county to effectively operate on a daily basis. OET also provides IT consulting as a trusted advisor to over 30 county departments.
The Office of Technology Services functions as the centralized provider of IT support services for executive cabinet agencies of state government and is designated as the sole authority for information technology procurement.
The mission of the Massachusetts Executive Office of Technology Services and Security (EOTSS) is to provide secure and quality digital information, services and tools to customers and constituents when and where they need them. EOTSS offers responsive digital services and productivity tools to more than 40,000 state employees as well as digital services and tools that enable taxpayers, motorists, businesses, visitors, families and other citizens to do business with the commonwealth in a way that makes every interaction with government easier, faster and more secure.
Both the Texas Department of Information Resources (DIR) and Department of Public Safety (DPS) are participating in the SLTT IOC automation pilot. DIR serves the Texas government by leading the state’s technology strategy, protecting state technology infrastructure and offering innovative and cost-effective solutions for all levels of government. DPS’s mission is to proactively protect the citizens of Texas in an ever-changing threat environment while always remaining faithful to the U.S. and state constitution.
MS-ISAC, managed by the Center for Internet Security, is the focal point for cyber threat prevention, protection, response and recovery for the nation’s SLTT governments. The mission of MS-ISAC is to improve the overall cybersecurity posture of SLTT governments. Collaboration and information sharing among members, the U.S. Department of Homeland Security and private-sector partners are the keys to success.
Technical contact: Charles Frick, Principal Investigator, Charles.Frick@jhuapl.edu
Amanda Zrebiec, 240-592-2794, Amanda.Zrebiec@jhuapl.edu
John Courtmanche, 240-521-1314, John.Courtmanche@jhuapl.edu
Sara Sendak, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, CISAmedia@hq.dhs.gov
Barbara Ware, Center for Internet Security, Barbara.Ware@cisecurity.org
The Applied Physics Laboratory, a not-for-profit division of The Johns Hopkins University, meets critical national challenges through the innovative application of science and technology. For more information, visit www.jhuapl.edu.