Protecting election registration sites from cyber intrusions
- By Matt Leonard
- Mar 28, 2018
The Center for Internet Security’s newly established Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) plans to deploy intrusion detection sensors to voter registration websites for all 50 states by the 2018 midterm elections, an official told GCN.
The intrusion detection sensors are called Albert sensors, and CIS has been using them on the state and local level since 2010, according to CIS Vice President of Operations Brian Calkin.
The open-source Albert sensors provide automated alerts on both traditional and advanced network threats.
Albert grew out of a Department of Homeland Security's Einstein project, which focuses on detecting and blocking cyberattacks within federal agencies. DHS approached CIS about creating similar capability for states and localities, but since the Einstein name was taken, CIS called it Albert instead.
The first version looked only at NetFlow data, or the IP network traffic, which provides high-level insights. It shows which IP addresses communicate with each other and the amount of data sent between systems, but not what was transmitted, Calkin said.
“You can almost think of it as looking at your phone bill,” he said. “You know that you and I had a conversation, you see my number and your phone number, but you don’t actually know what transpired in the half an hour that we spoke," he said. "NetFlow is very similar.”
Albert ran on NetFlow data for four years until CIS decided “the data wasn’t rich enough to get really solid hits on malicious threats,” Calkin said. In 2014, CIS added full intrusion detection capabilities using Suricata's high-performance intrusion detection engine, which allowed the sensors to run the traffic against a library of about 25,000 malware signatures. New signatures are pushed out to all of the Albert sensors every 12 hours, Calkin said.
If something is picked up by Albert, an alert is sent to the Security Operations Center at the Multi-State Information Sharing and Analysis Center (MS-ISAC) in New York where it is reviewed in person. If the threat turns out to be legitimate, the state or locality where it was detected is contacted. The SOC can also push the information to a ticketing system on the state or local level through an application programming interface
The sensors are placed “at the outermost edge of their network perimeter, but right behind whatever handles their network address translation,” Calkin said. This placement allows the sensors to see the true source IP of the desktop or server reaching out rather than just the public IP address, which would be handling hundreds or thousands or systems, he said.
The data is stored at the MS-ISAC data center in New York, where the more than 200 already-deployed Albert sensors report. Only information related to malicious activity or alerts is stored, and even then it’s saved for only five months.
Amid rising concerns about foreign governments meddling in U.S. elections ahead of the mid-term elections, CIS plans to deploy Albert sensors in any of the states that don’t yet have coverage,” Calkin said. Along with deploying these sensors, the EI-ISAC will be disseminating emerging trends and best practices to election officials across the country.
Albert is already deployed in all 50 states, but not necessarily on election infrastructure. An early CIS analysis shows that about half the states have election systems connected to Albert. The other half are expected to be completed by late spring or early summer, Calkin said.
For the six “bottom up” states where counties handle voter registration, CIS plans to work with the five most populous counties in each of those six states to deploy Albert sensors on the election systems before the midterms, Calkin said.
Matt Leonard is a former reporter for GCN.