Free MS-ISAC Services for Local Governments

Kateri Gill

October 4, 2017

You Are Not Alone

2 TLP: WHITE

Center for Internet Security

3 TLP: WHITE

Multi-State Information Sharing and Analysis Center

The MS-ISAC is the focal point for cyber threat prevention,

protection, response and recovery for the nation's SLTT

governments.

4 TLP: WHITE

MS-ISAC Members include:

• All 56 US States and Territories

• All 79 federally recognized fusion centers

• More than 1,400 local governments and tribal nations

State, Local, Tribal, and Territorial

Cities, counties, towns, airports, public education, police departments, ports, transit associations, and more

Who We Serve

5 TLP: WHITE

Free and Voluntary

No Mandated Information Sharing

One Membership Document Required

About MS-ISAC Membership

To join or get more information:

https://msisac.cisecurity.org/members/register

6

Created via PDD 61, May 22,1998, to allow the private sector to come together, share information, perform analysis, and respond to incidents

ISACs

Information Sharing and Analysis Centers

Legal Services

EMR-ISAC

7 TLP: WHITE

• 24 x 7 monitoring

• Analysis of ~750 billion logs/month

• Integration with federal agencies via the NCCIC, NCIJTF

• Trusted private companies

• Constant contact with all ISACs

Intelligence Sources

Information Sharing and Analysis Centers

Research and Education

Oil and Gas

Emergency Management and Response Healthcare Ready

Communications

Financial Services

Information Technology

Surface Transportation, Public Transportation, & Over-the-Road Bus Automotive

Supply Chain

Water Sector Maritime Downstream Natural Gas Defense Industrial Base

ICS

Real Estate

Aviation Public Transit Electricity Multi-State

Legal Services

Defense Security Information Exchange

National Health

Retail

8 TLP: WHITE

Criminals look for data...

and governments have a lot of it!

Why Government?

9

“There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”

- Robert S. Mueller III, Director of the FBI (2001-2013) March 2, 2012

10 TLP: WHITE

• Support: – Network Monitoring Services – Research and Analysis

• Analysis and Monitoring: – Threats – Vulnerabilities – Attacks

• Reporting: – Cyber Alerts & Advisories – Web Defacements – Account Compromises – Hacktivist Notifications

24 x 7 Security Operations Center

Central location to report any cybersecurity incident

To report an incident or request

assistance:

Phone: 1-866-787-4722

Email: soc@msisac.org

11 TLP: WHITE

• Incident Response (includes on-site assistance)

• Network & Web Application Vulnerability Assessments

• Malware Analysis

• Computer & Network Forensics

• Log Analysis

• Statistical Data Analysis

• Penetration Testing

Computer Emergency Response Team

To report an incident or request

assistance:

Phone: 1-866-787-4722

Email: soc@msisac.org

12 TLP: WHITE

As defined by PPD41: An event occurring on or conducted through a computer

network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks,

physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.

Examples:

• Phishing

• Network Intrusion

• DDoS

• Ransomware

What is an “Incident”?

13 TLP: WHITE

• Who, What, Why, Where and How it Happened

• The Good, The Bad, and The Ugly

• Incident Response Plan

• Training

• Documentation

After Action Review

14 TLP: WHITE

MS-ISAC Advisories

15 TLP: WHITE

• IPs connecting to malicious C&Cs

• Compromised IPs

• Indicators of compromise from the MS-ISAC network monitoring (Albert)

• Notifications from Spamhaus

Monitoring of IP Range & Domain Space

IP Monitoring Domain Monitoring

• Notifications on compromised user credentials, open source and third party information

• Vulnerability Management Program (VMP)

Send domains, IP ranges, and contact info to:

soc@msisac.org

16 TLP: WHITE

What Data Are We Collecting?

• Server type and version (IIS, Apache, etc.)

• Web programming language and version

(PHP, ASP, etc.)

• Content Management System and version

(WordPress, Joomla, Drupal, etc.)

Vulnerability Management Program

Email notifications are sent with 2 attachments containing information

on out-of-date and up-to-date systems:

• Out-of-Date systems should be patched/updated and could

potentially have a vulnerability associated with it

• Up-to-Date systems have the most current patches

17 TLP: WHITE

Time-to-Patch

54.60%

59.24%61.40% 62.70%

64.72% 65.63%

78.65%80.72% 81.63% 81.69% 81.98% 82.02%

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6

% of Patched Word Press Instances Following A

New Version

2015 2016

18 TLP: WHITE

Malicious Code Analysis Platform

A web based service that enables members to submit and analyze suspicious files in a controlled

and non-public fashion

• Executables

• DLLs

• Documents

• Quarantine files

• Archives

To gain an account contact:

soc@msisac.org

19 TLP: WHITE

MS-ISAC Cyber Alerts

20 TLP: WHITE

MS-ISAC Intel Papers

21 TLP: WHITE

The Working Cloud: Tackling the Security Risks (June 22, 2017)

The Expanding Attack Surface (April 2017)

Cybersecurity While Traveling (February 2017)

Cybersecurity Year in Review and 2017 Preview (December 2016)

National Cybersecurity Awareness Month – Be a Part of Something Big (October 2016)

State and Local Roundtable – Effective Cyber Disruption Strategies (August 2016)

National Webcasts

https://msisac.cisecurity.org/webcast/

A collaborative effort between DHS and MS-ISAC to provide timely and relevant cybersecurity education and

information

22 TLP: WHITE

Distributed in template form to allow for re-branding and redistribution by your agency

Monthly Newsletter

23 TLP: WHITE

Cybersecurity Awareness Toolkit

24 TLP: WHITE

Access to:

• MS-ISAC Cyber Alert Map

• Archived webcasts & products

• Cyber table top exercises

• Guides and templates

• Message boards

HSIN Community of Interest

25 TLP: WHITE

Weekly Malware IPs and Domains

26 TLP: WHITE

Machine-to-Machine indicator transfer

Anomali

To gain an account contact:

SOC@cisecurity.org

27 TLP: WHITE

A voluntary self-assessment survey designed to evaluate cyber security management within SLTT governments

October 1 – November 30

All states (and agencies within), local government jurisdictions (and departments within),

tribal and territorial governments can participate.

Nationwide Cyber Security Review

NCSR

https://www.cisecurity.org/ms-isac/services/ncsr

28 TLP: WHITE

• SLTT focus

• 24x7x365 research, analysis, and support

• Signatures unique to SLTT governments

• Integration of research on specific attacks and actors,

including nation-state actors (APT)

• Real-time information sharing

with FSLTT partners

• Experienced cybersecurity

analysts who review each event

minimizing the number of

false-positive notifications

Network Monitoring (Albert)

29 TLP: WHITE

Additional Benefits

• Situational Awareness Resources

• Insider access to federal information

• Product and Training Discounts • Cybersecurity Exercise

Participation • Workgroups • Webcasts

30 TLP: WHITE

•Cyber Resiliency Review

•Stop.Think.Connect

•FedVTE and FedVTE Live!

Federal Resources Free to State and Locals

31

Questions?

Kateri Gill

Program Specialist

518-880-0779

Kateri.Gill@cisecurity.org

MS-ISAC 24x7 Security Operations Center

1-866-787-4722

SOC@cisecurity.org