Cybersecurity Toolkit to Protect Elections


Cybersecurity Toolkit To Protect Elections

As the lead federal agency responsible for national election security, CISA—through the Joint Cyber Defense Collaborative (JCDC)—has compiled a toolkit of free services and tools intended to help state and local government officials, election officials, and vendors enhance the cybersecurity and cyber resilience of U.S. election infrastructure. This toolkit includes free tools, services, and resources provided by CISA, JCDC members, and others across the cybersecurity community.

How To Use This Toolkit

First, use the Election Security Risk Profile Tool to assess your risk. The tool, developed by CISA and the U.S. Election Assistance Commission, can help state and local election officials understand the range of risks they face and how to prioritize their mitigation efforts. With this tool, you can:

  • Address areas of greatest risk.
  • Ensure that technical cybersecurity assessments and services are meeting critical needs. 
  • Gain a sound analytic foundation for managing election security risk with key partners at the federal, state, and local level.

Second, review the icons below. These icons correspond to the election infrastructure assets most commonly targeted by phishing, ransomware, and distributed denial-of-service (DDoS) attacks

Newspaper outline

Voter information: Threat actors may try to compromise or manipulate electronic poll books and voter registration databases in attempt to cause confusion or delay voting.

Internet outline

Websites: Threat actors often target state and local websites with DDoS, phishing, and ransomware attacks.

Email outline

Email systems: Threat actors use phishing as the preferred vector with which to target state and local email systems.

Social network outline

Networks: Threat actors commonly use vectors, such as phishing or malware, to infiltrate state and local networks that election offices rely on for regular business functions

 

Third, review this toolkit for the tools and services that correspond to the election infrastructure asset(s) you need to secure. The services and tools are aligned with the Protect and Detect functions of the NIST Cybersecurity Framework. Protect enables outlines safeguards to ensure the delivery of critical services and Detect defines activities to identify the occurrence of a cybersecurity event. 

Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Preliminary Actions to Defend Against Common Cyber Threats:

Before using the toolkit to address specific threats, take the following actions to establish your cybersecurity baseline.

    Phishing

    Step 1: Understand Phishing Attacks.

    Phishing attacks use email, text messaging, social media, and/or malicious websites to solicit personal information or to trick individuals into downloading malicious software. Threat actors often use elections and political events to capture attention and lure recipients into clicking a link or downloading a file that contains malicious code. Election officials are often required to open email attachments, which could contain malicious payloads, to facilitate election administration processes (e.g., absentee ballot applications).

    Step 2: Protect against phishing attacks.

    Basic/Advanced

    Product Link

    Description

    Defends

    Basic

    CISA Phishing Campaign Assessment

    This service provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training. To sign up, email: vulnerability@cisa.dhs.gov

    Election Security Risk in Focus: Phishing

     

    CISA’s free training on phishing details phishing types, detection, and impacts with an emphasis on election infrastructure-related risks and available resources.

    Cisco OpenDNS Home

    OpenDNS blocks phishing websites that try to steal a user/organization identity and login information by pretending to be a legitimate website.

    Cloudflare DNS resolver with malware filter

    Cloudflare DNS resolver with malware filter is private and fast. It prevents user/organization devices from accessing known malware threats. If an employee opens and clicks on a phishing email, the link in the email won’t work. This prevents attackers from compromising sensitive internal information.

    Quad9

    This tool is designed to prevent computers and devices from connecting to malware or phishing sites.

    Google Advanced Protection Program

    The Advanced Protection Program safeguards users with high visibility and sensitive information from targeted online attacks. New protections are automatically added to defend against today’s wide range of threats. It is the tool of choice to protect campaign and election organizations. 

    Google Web Risk

    Google Web Risk is a User Protection Service from Google Cloud designed to reduce the risk of threats targeting user-generated content. Web Risk lets organizations compare URLs in their environment against a repository of more than one million unsafe URLs.

    Advanced

    Secureworks PhishInSuits  

    The Secureworks Adversary Group and Counter Threat Unit research team developed the PhishInSuits tool to conduct security assessments and test control frameworks against scenarios such as business email compromise (BEC) attacks. The tool combines this variation of illicit consent attack with text message (SMS)-based phishing (smishing) to emulate BEC campaigns and includes automated data-exfiltration capabilities.

    Step 3: Detect phishing attempts.

    Basic/Advanced

    Product Link

    Description

    Defends

    Basic

    Google Safe Browsing

    This toolset identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.

    CrowdStrike Hybrid Analysis

    This tool is a free malware analysis service that detects and analyzes unknown threats using a unique Hybrid Analysis technology. Users can submit suspicious URLs and receive aggregated malicious verdicts as well as the contents at said URL. Hybrid Analysis is also a file sandbox and free alternative to other public malware repositories for file/threat hunting.

    Advanced

    Google VirusTotal

    VirusTotal inspects items with more than 70 antivirus scanners and URL/domain blocklisting services, in addition to a variety of other tools, to extract signals from the studied content. Users can select a file from a computer via the browser and send it to VirusTotal. Submissions may be scripted in any programming language using the HTTP-based public application programming interface (API).

    Ransomware

    Step 1: Understand ransomware attacks.

    Ransomware is malicious software designed to deny access to computer systems or data. In a ransomware attack, the ransomware actor encrypts systems and/or data, rendering them inaccessible to owners and users. In some cases, data is also taken (exfiltrated) from the user’s computer or network.  The actor demands payment to decrypt the systems and/or data. However, paying this ransom does not guarantee the user will regain access to their systems and/or data; these assets can be permanently lost or leaked. 

    For elections, a ransomware attack could leak or deny access to voter registration data, unofficial results reporting, and other sensitive information. It could also inhibit access to important election systems during critical operational periods, such as registration and candidate filing deadlines. 

    Step 2: Protect against ransomware attacks.

    Basic/Advanced

    Product Link

    Description

    Defends

     

    CISA Free Ransomware Services

    CISA offers free services and training to protect organizations against ransomware.

    Basic

    Microsoft controlled folder access/ransomware protection in Windows

    Controlled folder access in Windows helps protect against threats like ransomware by safeguarding folders, files, and memory areas on the device from unauthorized changes by unfriendly applications.

    Microsoft Windows Backup and Restore

    This tool sets up automatic backups of Windows 10 and 11 operating systems.

    Zscaler’s Ransomware Risk Assessment

    This service assesses an organization’s ability to counteract a ransomware infection and its spread, as well as an organization’s ability to resume operations after an infection. This tool scans defenses against ransomware-specific intrusion, lateral movement, and exfiltration methods. It is safe to use and runs within the browser.

    Cisco Immunet Antivirus  

    Immunet is a malware and antivirus protection system for Windows that utilizes cloud computing to provide enhanced community-based security.

    Google Drive for desktop

    This tool backs up files on Windows or Mac computers. Note: It does not allow users to restore their system; it only saves copies of files.

    Google Chrome OS and Chromebooks

    Chrome OS is a cloud-first platform that provides protection against ransomware by default.

    Microsoft Defender Antivirus in Windows

    Built into Windows 10 and 11 and in versions of Windows Server, this tool is used to protect and detect endpoint threats, including file-based and fileless malware.

    Advanced

    Cisco ClamAV

    ClamAV is an open-source (general public license [GPL]) antivirus engine used in a variety of situations, including email and web scanning and endpoint security. It provides many utilities for users, including a flexible and scalable multithreaded daemon, a command-line scanner, and an advanced tool for automatic database updates.

    Step 3: Detect ransomware attacks.

    Basic/Advanced

    Product Link

    Description

    Defends

    Basic

    Google Security Command Center

    This tool helps users strengthen their security posture by evaluating their security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities, and threats; and mitigating and remediating risks.

    Microsoft Safety Scanner

    Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. It can run scans to find malware and try to reverse changes made by identified threats.

    Advanced

    Cisco Snort

    This network intrusion detection and prevention system conducts traffic analysis and packet logging on Internet Protocol (IP) networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. The related free Basic Analysis and Security Engine (BASE) is a web interface for analyzing Snort alerts.

    Mandiant Red Team and Investigative Tools

    These tools are designed to confirm and investigate suspected security compromises.

    Distributed Denial of Service (DDoS) Attacks

    Step 1: Understand DDoS attacks.

    DDoS attacks on election infrastructure can hinder access to voting information. A DDoS attack occurs when malicious cyber actors flood a public-facing, internet-accessible server with requests, rendering the targeted server slow or inaccessible. This prevents users from accessing online resources, such as web pages and online accounts, and may disrupt an organization’s activities for a period of time, potentially hindering voters’ ability to access voting information or unofficial election results.

    For more information on DDoS attacks, please see CISA’s DDoS Quick Guide

    Step 2: Protect against DDoS attacks.

    Basic/Advanced

    Product Link

    Description

    Defends

    Basic

    Cloudflare DDoS Protection

    Cloudflare provides unmetered and unlimited DDoS protection through their Autonomous DDoS Protection Edge, which automatically detects and mitigates DDoS attacks. The Autonomous Edge includes multiple dynamic mitigation rules exposed as Cloudflare DDoS Attack Protection Managed Rule sets, which provide comprehensive protection against a variety of DDoS attacks across L3/4 and L7 of the OSI model. This tool mitigates against DDoS attacks without incurring latency or interfering with legitimate users.

    Cloudflare DNS  

     

    Cloudflare provides fast and secure managed Domain Name System (DNS) as a built-in service on its network. When users/organizations use Cloudflare DNS, all DNS queries for user/organization domains are answered by Cloudflare’s global Anycast network. The Anycast network allows Cloudflare to mitigate DDoS attacks directed at any site using Cloudflare name servers. In addition, Cloudflare DNS comes with Domain Name System Security Extensions (DNSSEC) protocol, which creates a secure domain name system by adding cryptographic signatures to existing DNS records. By checking its associated signature, users/organizations can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en route, as opposed to a fake record injected in a man-in-the-middle attack.

    Cloudflare HTTPS Encryption (Secure Socket Layer [SSL]/Transport Layer Security [TLS])

    This tool offers free SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust. By encrypting any data that goes between a user and a web server, SSL ensures that anyone who intercepts the data can only see a scrambled mess of characters. SSL also stops certain kinds of cyberattacks: It authenticates web servers, which is important because attackers will often try to set up fake websites to trick users and steal data.

    Google reCAPTCHA

    reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on a user’s website.

    Google Jigsaw Project Shield

    Project Shield is a free service that defends news, human rights, and election-monitoring sites from DDoS attacks.

    Advanced

    Lumu Technologies Lumu Free

    Lumu Free offers continuous monitoring across the network by leveraging multiple sources of metadata (DNS, proxy, firewall). Organizations can uncover contact with malicious infrastructure, enabling threat mitigation and attack prevention. Malicious incidents can be labeled to ensure prioritization according to an organization’s risk tolerance.

    Let’s Encrypt

    This tool provides a free digital certificate to enable HTTPS (SSL/TLS) for websites. While Let’s Encrypt provides a free way to enable HTTPS, its lack of enterprise support may require internal support from jurisdictions.

     

    Step 3: Detect a DDoS attack.

    Basic/Advanced

    Product Link

    Description

    Defends

    Basic

    Cloudflare Web Analytics

     

     

     

    Cloudflare Logs

    Cloudflare’s built-in analytics give users/organizations deeper insights into their traffic patterns, threats observed (and blocked), and other information found in the dashboard. High-level analytic dashboards provide overviews of traffic and security posture, including traffic and firewall events, DNS query traffic, and the geographical distribution of DNS queries over time.

     

    Cloudflare provides access to detailed logs of HTTP requests for domain. Logs are typically used for debugging, identifying configuration adjustments, and creating analytics, especially when combined with other data sources such as application server logs. Logs are helpful when investigating incidents such as website outages.

    Advanced

    Cloudflare Rate Limiting

    Cloudflare Rate Limiting automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain. Request rates are calculated locally for individual Cloudflare data centers. The most common uses for Rate Limiting are DDoS and brute-force attack protection, and to limit access to forum searches, API calls, or resources that involve database-intensive operations at user/organization origin.

    Additional Tools for Election Security

    The following tools and services can help:

    • Reduce the likelihood of a damaging cyber incident.
    • Quickly detect a potential intrusion.
    • Support preparation and response efforts if an intrusion does occur.
    • Maximize an organization’s resilience to a damaging cyber incident.

    Additional tools and services

    Basic/Advanced

    Link

    Description

    Basic

    Microsoft AccountGuard

    Microsoft AccountGuard is a cybersecurity service that adds an extra layer of protection against Nation-State sponsored attackers to elections organizations. AccountGuard protects both the professional and optionally

    the personal email accounts of staff.

    Azure for Elections

    Azure for Elections is a set of security and resiliency assessments & enhanced support for elections-critical workloads running in the Azure cloud

    - Cloud Cybersecurity Assessments

    - Resiliency assessments for high load

    - Prioritized rapid support response during Election Week

     

    No additional cost, contact: protectelections@microsoft.com to enroll.

     

    Cloudflare Anycast Content Delivery Network

    The Cloudflare Anycast Content Delivery Network quickly routes incoming traffic to the nearest data center with the capacity to process the request efficiently, handling surges in web traffic due to registration deadlines and election result updates. Caching content on Cloudflare’s network reduces the number of requests to an origin by serving static content from a Cloudflare data center and minimizing bandwidth consumption.

    Cloudflare Web Application Firewall

    The Cloudflare Web Application Firewall (WAF) provides both automatic protection from vulnerabilities and the flexibility to create custom rules. The WAF protects the integrity of information on the user/organization election website from common vulnerabilities, such as Structured Query Language (SQL) injection attacks, cross-site scripting, and cross-site forgery requests.

    Google Cybersecurity Action Team

    This service provides a number of security resources, including security blueprints, white papers, threat reports, and information on recently detected vulnerabilities.

    Google GRR Rapid Response

    GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.

    Microsoft BitLocker for Windows

    This tool encrypts Microsoft Windows systems.

    Microsoft Windows Malicious Software Removal Tool

    This tool is released by Microsoft on a monthly basis as part of Windows Update or as a stand-alone tool. It can be used to find and remove specific prevalent threats and reverse the changes they have made.

    Advanced

    Guardicore Infection Monkey

     

    Infection Monkey is an open-source tool for breach and attack analysis that tests a data center’s resiliency to perimeter breaches and internal server infections. Infection Monkey helps to validate existing security solutions and provides a view of the internal network from an attacker’s perspective. Infection Monkey gives individuals focused on election security an understanding of potential risks by scanning networks and fingerprinting machines using multiple network protocols.

    IBM X-Force Exchange

    IBM X-Force Exchange is a cloud-based threat intelligence platform that allows users to consume, share, and act on threat intelligence. It enables users to conduct rapid research of the latest global security threats, aggregate actionable intelligence, consult with experts, and collaborate with peers.

    Mandiant Attack Surface Management

    This early warning system for information security allows users/organizations to create comprehensive visibility through graph-based mapping; know when assets change to stay ahead of the threat; and empower security operations to mitigate real-world threats.

    Mandiant Threat Intelligence

    Free access to the Mandiant Threat Intelligence portal helps users understand recent security trends, proactively hunt threat actors, and prioritize response activities.

     

    Mandiant Digital Threat Monitoring

    Detect and respond to external threats by monitoring the open, deep and dark web. Monitoring provides early warning of threat actors targeting your organization and notification of data and credential leaks so you can respond quicker. 

     

     

    Microsoft RiskIQ Community

    The RiskIQ community offers free access to internet intelligence, including thousands of open-source intelligence articles and artifacts. Community users can investigate threats by pivoting through attacker infrastructure data, understanding what digital assets are exposed to the internet, and mapping and monitoring their external attack surface.

     

    github.com/microsoft/SecCon-Framework

    This security configuration framework is designed to help prioritize endpoint hardening recommendations.

    Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

    Additional CISA & Partner Cybersecurity Resources

    In addition to this toolkit, CISA offers other election cybersecurity resources, such as guidance documents, reports, infographics, and free basic cyber hygiene tools:

    Enhancing the cybersecurity and cyber resilience of U.S. election infrastructure is a partnership; CISA’s election security partners offer the following free resources.

    Elections Infrastructure Information Sharing and Analysis Center

    U.S. Election Assistance Commission

    Global Cyber Alliance (GCA)

    Center for Internet Security

     

     

     

    Was this webpage helpful?  Yes  |  Somewhat  |  No