A new automated data feed that helps defend state and local government computer systems from cyberattacks and rapidly blocks threats across state lines reduced cyber defense time from some three days to less than three minutes in a successful pilot program across four states.

Under the live pilot on active government systems, Louisiana, Massachusetts, Texas, the state of Arizona and Maricopa County, Arizona, together with the Multi-State Information Sharing and Analysis Center (MS-ISAC), effectively flagged indicators of a cyberattack and rapidly blocked traffic to and from threatening IP addresses, domains and files across the shared network markedly faster than current manual processes.

Led by the Johns Hopkins University Applied Physics Laboratory (APL), in Laurel, Maryland, the one-year trial, “Indicators of Compromise Automation Pilot,” was funded by a grant from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the four states and the CISA-funded MS-ISAC, a key U.S. cybersecurity resource for state, local, tribal and territorial (SLTT) governments.

During the pilot, one participating state received threat information fast enough to preemptively block and protect its network from 270,000 attacks on the day the source was first observed, and from half a million attacks over multiple days.

Sharing information at this speed across state lines defended government systems from a range of attacks, including malware, ransomware and spear phishing.

“Too often, state and local governments learn of an attack after it has infiltrated their systems,” said APL's Charles Frick, the pilot’s principal investigator. “The new automated feed not only delivers actionable cyber threat intelligence and successful defense, but it also frees up network security personnel to address the most complex cyber threats.”

The pilot feed may serve as a model for other states and local governments to quickly and easily augment their cyber defense capabilities. MS-ISAC is working with CISA and APL to make the feed more consumable and is preparing to offer it to its members across the nation. The pilot feed remains available to the states that participated in the pilot and is in active use for cyber defense.

The pilot builds on previous APL research and testing in critical infrastructure industries that demonstrated that automated information sharing can shore up cyber defenses by drastically reducing response time, using a process called the Integrated Adaptive Cyber Defense (IACD) framework developed by APL.

The “Indicators of Compromise Automation Pilot” applied security orchestration, automation and response (SOAR) tools that collect threat data from multiple sources and perform automated triage response dramatically faster than manual processes. The trial’s key goals were to integrate end-to-end cyber-defense responses from sensing to acting within minutes, and to define consistent procedures and information sharing across state and local governments.

The new automated feed is “low regret,” meaning a government agency can allow the automatic blocking of an indicator of compromise with confidence that it poses a malicious threat and near certainty that the automated block will not disrupt operations.

Frick added that the successful technique used in the pilot could be modeled to protect infrastructure across other sectors, including financial services, transportation, energy and more.

With the one-year pilot, APL collected a large amount of data and results to make available as industry guides and best practices to impacted sectors, including state and local governments and the critical infrastructure community.