Cybersecurity Toolkit and Resources to Protect Elections

As the lead federal agency responsible for national election security, CISA—through the Joint Cyber Defense Collaborative (JCDC)—has compiled a toolkit of free services and tools intended to help state and local government officials, election officials, and vendors enhance the cybersecurity and cyber resilience of U.S. election infrastructure.

How To Use This Toolkit

FIRST, use the Election Security Risk Profile Tool to assess your risk. The tool, developed by CISA and the U.S. Election Assistance Commission, can help state and local election officials understand the range of risks they face and how to prioritize their mitigation efforts. With this tool, you can:

Address areas of greatest risk.
Ensure that technical cybersecurity assessments and services are meeting critical needs.
Gain a sound analytic foundation for managing election security risk with key partners at the federal, state, and local level.

SECOND, review the items below. These are the election infrastructure assets most commonly targeted byphishing, ransomware, and distributed denial-of-service (DDoS) attacks.

Voter information: Threat actors may try to compromise or manipulate electronic poll books and voter registration databases in attempt to cause confusion or delay voting.
Websites: Threatactors often target state and local websites with DDoS, phishing, and ransomware attacks.
Email systems: Threat actors use phishing as the preferred vector with which to target state and local email systems.
Networks: Threat actors commonly use vectors, such as phishing or malware, to infiltrate state and local networks that election offices rely on for regular business functions.

THIRD, review this toolkit for the tools and services that correspond to the election infrastructure asset(s) you need to secure. The services and tools are aligned with the Protect and Detect functions of the NIST Cybersecurity Framework. Protect enables outlines safeguards to ensure the delivery of critical services and Detect defines activities to identify the occurrence of a cybersecurity event.

Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Preliminary Actions to Defend Against Common Cyber Threats:

Before using the toolkit to address specific threats, take the following actions to establish your cybersecurity baseline:

Implement free CISA Cyber Hygiene Services Vulnerability Scanning.
Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
Follow password best practices, e.g., multifactor authentication enforcement, password manager.
Make and secure offline backups of data.

Once you understand your risks and capability gaps, use the below resources to learn more about how you can better protect against cybersecurity threats.

How Resources Are Categorized

The resources featured in this toolkit are grouped based on three threat categories:

Phishing

Ransomware

Distributed Denial of Service

Officials seeking to secure election infrastructure should carefully review each section to identify tools and services appropriate to address their primary risks.

The services and tools are aligned with the Protect and Detect functions of the NIST Cybersecurity Framework. Protect outlines safeguards to ensure the delivery of critical services and Detect defines activities to identify the occurrence of a cybersecurity event.

Category 1: Phishing

Step 1: Understand Phishing Attacks

Phishing attacks use email, text messaging, social media, and/or malicious websites to solicit personal information or to trick individuals into downloading malicious software. Cyber threat actors often use elections and political events to capture attention and lure recipients into clicking a link or downloading a file that contains malicious code. Election officials are often required to open email attachments, which could contain malicious payloads, to facilitate election administration processes (e.g., absentee ballot applications).

Step 2: Protect Against Phishing Attacks

CISA Phishing Campaign Assessment

Provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training.

Election Security Risk in Focus: Phishing

CISA’s free training on phishing details phishing types, detection, and impacts with an emphasis on election infrastructure-related risks and available resources.

Cisco OpenDNS Home

OpenDNS blocks phishing websites that try to steal a user/organization identity and login information by pretending to be a legitimate website.

Cloudflare DNS resolver with malware filter

Cloudflare DNS resolver with malware filter is a private and fast DNS resolver that prevents user/organization devices from accessing known malware threats.

Google Advanced Protection Program

The Google Advanced Protection Program safeguards users with high visibility and sensitive information from targeted online attacks. New protections are automatically added to defend against today’s wide range of threats.

Google Web Risk

A User Protection Service from Google Cloud designed to reduce the risk of threats targeting user-generated content. Google Web Risk lets organizations compare URLs in their environment against a repository of more than one million unsafe URLs.

Quad9

Quad9’s DNS platform is designed to prevent computers and devices from connecting to malware or phishing sites.

Secureworks PhishInSuits

The Secureworks Adversary Group and Counter Threat Unit research team developed the PhishInSuits tool to conduct security assessments and test control frameworks against scenarios such as business email compromise (BEC) attacks.

Step 3: Detect Phishing Attacks

Google Safe Browsing

This toolset identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.

CrowdStrike Hybrid Analysis

Inspects items using 70+ antivirus scanners and URL/domain blocklisting services, to extract signals from the studied content. Users can select files from computer via the browser and send to VirusTotal.

Google VirusTotal

VirusTotal inspects items with more than 70 antivirus scanners and URL/domain blocklisting services, in addition to a variety of other tools, to extract signals from the studied content.

Category 2: Ransomware

Step 1: Understand Ransomware Attacks

Ransomware is malicious software designed to deny access to computer systems or data. In a ransomware attack, the ransomware actor encrypts systems and/or data, rendering them inaccessible to owners and users. In some cases, data is also taken (exfiltrated) from the user’s computer or network. The actor demands payment to decrypt the systems and/or data. However, paying this ransom does not guarantee the user will regain access to their systems and/or data; these assets can be permanently lost or leaked.

For elections, a ransomware attack could leak or deny access to voter registration data, unofficial results reporting, and other sensitive information. It could also inhibit access to important election systems during critical operational periods, such as registration and candidate filing deadlines.

Step 2: Protect Against Ransomware Attacks

CISA Free Ransomware Services

CISA offers free services and training to protect organizations against ransomware.

Microsoft controlled folder access/ransomware protection in Windows

Controlled folder access in Windows helps protect against threats like ransomware by safeguarding folders, files, and memory areas on the device from unauthorized changes by unfriendly applications.

Microsoft Windows Backup and Restore

This tool sets up automatic backups of Windows 10 and 11 operating systems to an external drive or network location.

Zscaler’s Ransomware Risk Assessment

Assesses an organization’s ability to 1. counteract a ransomware infection and its spread and 2. to resume operations after an infection. Scans defenses against ransomware-specific intrusion, lateral movement, and exfiltration methods.

Cisco Immunet Antivirus

A malware and antivirus protection system for Windows that utilizes cloud computing to provide enhanced community-based security.

Google Drive for desktop

This tool backs up files on Windows or Mac computers. Note: It does not allow users to restore their system; it only saves copies of files.

Google Chrome OS and Chromebooks

Chrome OS is a cloud-first platform that provides protection against ransomware by default through built-in proactive security measures such as safe browsing practices, blocking executables, and automatic data and file backups.

Microsoft Defender Antivirus in Windows

Built into Windows 10 and 11 and in versions of Windows Server, this tool is used to protect and detect endpoint threats, including file-based and fileless malware.

Cisco ClamAV

An open-source antivirus engine used in a variety of situations, including email and web scanning and endpoint security. Provides a flexible, scalable multithreaded daemon, a command-line scanner, and an advanced tool for automatic database updates.

Step 3: Detect Ransomware Attacks

Google Security Command Center

This tool helps users strengthen their security posture by evaluating their security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities, and threats; and mitigating and remediating risks.

Microsoft Safety Scanner

Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. It can run scans to find malware and try to reverse changes made by identified threats.

AWS GitHub Security Assessment Tool

An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.

Cisco Snort

This network intrusion detection and prevention system conducts traffic analysis and packet logging on Internet Protocol (IP) networks.

Mandiant Red Team and Investigative Tools

These tools are designed to confirm and investigate suspected security compromises.

Category 3: Distributed Denial of Service (DDoS) Attacks

Step 1: Understand DDoS Attacks

DDoS attacks on election infrastructure can hinder access to voting information. A DDoS attack occurs when malicious cyber actors flood a public-facing, internet-accessible server with requests, rendering the targeted server slow or inaccessible. This prevents users from accessing online resources, such as web pages and online accounts, and may disrupt an organization’s activities for a period of time, potentially hindering voters’ ability to access voting information or unofficial election results.

For more information on DDoS attacks, please see CISA’s DDoS Quick Guide.

Step 2: Protect Against DDoS Attacks

Cloudflare DDoS Protection

Cloudflare provides unmetered and unlimited DDoS protection through their Autonomous DDoS Protection Edge, which automatically detects and mitigates DDoS attacks.

Cloudflare DNS

Cloudflare provides fast and secure managed Domain Name System (DNS) as a built-in service on its network. When users/organizations use Cloudflare DNS, all DNS queries for user/organization domains are answered by Cloudflare’s global Anycast network.

Cloudflare HTTPS Encryption (Secure Socket Layer [SSL]/Transport Layer Security [TLS])

This tool offers free SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust.

Google reCAPTCHA

reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on a user’s website.

Google Jigsaw Project Shield

Project Shield is a free service that defends news, human rights, and election-monitoring sites from DDoS attacks.

Lumu Technologies Lumu Free

Lumu Free offers continuous monitoring across the network by leveraging multiple sources of metadata (DNS, proxy, firewall). Organizations can uncover contact with malicious infrastructure, enabling threat mitigation and attack prevention.

Let's Encrypt

This tool provides a free digital certificate to enable HTTPS (SSL/TLS) for websites. While Let’s Encrypt provides a free way to enable HTTPS, its lack of enterprise support may require internal support from jurisdictions.

Step 3: Detect a DDoS Attack

Cloudflare Web Analytics

Cloudflare’s built-in analytics give users/organizations deeper insights into their traffic patterns, threats observed (and blocked), and other information found in the dashboard.

Cloudflare Logs

Cloudflare provides access to detailed logs of HTTP requests for domain. Logs are typically used for debugging, identifying configuration adjustments, and creating analytics.

Cloudflare Rate Limiting

Cloudflare Rate Limiting automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain.

Additional Tools for Election Security

The following tools and services can help:

Reduce the likelihood of a damaging cyber incident.
Quickly detect a potential intrusion.
Support preparation and response efforts if an intrusion does occur.
Maximize an organization’s resilience to a damaging cyber incident.

Microsoft AccountGuard

Microsoft AccountGuard is a cybersecurity service that adds an extra layer of protection against Nation-State sponsored attackers to elections organizations. AccountGuard protects both the professional and optionally

Azure for Elections

Azure for Elections is a set of security and resiliency assessments & enhanced support for elections-critical workloads running in the Azure cloud.

Cloudflare Anycast Content Delivery Network

The Cloudflare Anycast Content Delivery Network quickly routes incoming traffic to the nearest data center with the capacity to process the request efficiently, handling surges in web traffic due to registration deadlines and election result updates.

Cloudflare Web Application Firewall

The Cloudflare Web Application Firewall (WAF) provides both automatic protection from vulnerabilities and the flexibility to create custom rules.

Google Cybersecurity Action Team

This service provides a number of security resources, including security blueprints, white papers, threat reports, and information on recently detected vulnerabilities.

Google GRR Rapid Response

GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.

Microsoft BitLocker for Windows

This tool encrypts Microsoft Windows systems.

Microsoft Windows Malicious Software Removal Tool

This tool is released by Microsoft on a monthly basis as part of Windows Update or as a stand-alone tool. It can be used to find and remove specific prevalent threats and reverse the changes they have made.

Guardicore Infection Monkey

Infection Monkey is an open-source tool for breach and attack analysis that tests a data center’s resiliency to perimeter breaches and internal server infections.

IBM X-Force Exchange

IBM X-Force Exchange is a cloud-based threat intelligence platform that allows users to consume, share, and act on threat intelligence.

Mandiant Attack Surface Management

This early warning system for information security allows users/organizations to create comprehensive visibility through graph-based mapping; know when assets change to stay ahead of the threat; and empower security operations to mitigate real-world

Mandiant Threat Intelligence

Free access to the Mandiant Threat Intelligence portal helps users understand recent security trends, proactively hunt threat actors, and prioritize response activities.

Additional CISA & Partner Cybersecurity Resources

In addition to this toolkit, CISA offers other election cybersecurity resources, such as guidance documents, reports, infographics, and free basic cyber hygiene tools:

Election Infrastructure Security webpage. CISA’s primary hub for election security announcements, resources, and materials.
Free Cybersecurity Services and Tools webpage. A general toolkit of free cybersecurity services compiled by CISA to help critical infrastructure owners and operators further advance their cybersecurity capabilities.
CISA Tabletop Exercises Packages. A comprehensive set of resources designed to assist stakeholders in conducting their own exercises.
Automated Indicator Sharing. Automated Indicator Sharing is a CISA capability that enables the real-time exchange of machine-readable cyber threat indicators and defensive measures.
Cyber Guidance for Small Businesses. CISA has compiled the top cybersecurity tasks for IT leads and their staff, including enforcing multifactor authentication for all users, keeping systems patched, and monitoring CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Enhancing the cybersecurity and cyber resilience of U.S. election infrastructure is a partnership; CISA’s election security partners offer the following free resources.

MS-ISAC and EI-ISAC Resources

The Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) provide no-cost services to secure U.S. election infrastructure. MS-ISAC is the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the EI-ISAC supports the rapidly changing cybersecurity needs of U.S. elections offices.

Membership in the Multi-State ISAC is free and open to all state, local, tribal, and territorial government organizations.

Membership in the Elections Infrastructure ISAC is free and open to all state, local, tribal, and territorial government organizations that support U.S. elections.