Election Security in 2024 Demands Network Visibility

The 2024 election season is upon us, and with it comes a renewed focus on security. IT and security providers for federal and local agencies involved in election processes have a critical responsibility to understand the multifaceted threat landscape facing our democratic institutions.

The federal government formed the US Cybersecurity and Infrastructure Security Agency (CISA) in response to the well-documented, widespread election interference of 2016. Now CISA has sounded the alarm on a daunting number of new threats targeting the 2024 election. The possibility of governments abroad not just actively running misinformation campaigns but also targeting and attacking election systems has been a particular concern for the agency this year. Eric Goldstein, CISA’s executive assistant director for cybersecurity, described “a really difficult cybersecurity environment” that includes “extraordinary advances by nation-state adversaries China, Russia, Iran, North Korea.”

This year, the most likely threats to election integrity and security in the US will be through methods like disinformation, foreign interference, and cybersecurity vulnerabilities. Notable examples of past interference and worrying future threat predictions make it clear that election security needs to be modernized and protected with the most rigorous cybersecurity controls, starting with the need for network visibility, so that election officials can detect threats in their earliest stages.

Election Interference Takes Many Forms

Some of the most jarring examples of breaches to security in past elections include:

• In 2016, Russia executed a multi-pronged election interference effort that included accessing and releasing Democratic emails and scanning voter registration systems in all 50 states for vulnerabilities.
• In 2020, Iranian hackers obtained voter data and used it to send misleading emails.
• In 2022, there were multiple instances in which hackers linked to Iran, China, and Russia connected to election infrastructure, scanned state government websites, and copied voter information, according to a recent declassified report.
• As recently as February 2024, Fulton County in Georgia was the victim of a cyberattack that took many of the county's systems - including election systems - offline, just weeks before the state’s March primary elections.

The ongoing threat of foreign interference looms large. Nation-state adversaries continue to actively target election infrastructure and work to influence electoral outcomes. Security experts have warned for years that foreign governments—namely Russia, China, and Iran—want to undermine and destabilize the US and see elections as a way to accomplish it.

But the threats don’t stop at outside interference; the US has an election infrastructure problem.

The decentralized nature of American elections presents a huge cybersecurity challenge; the voting software, voter registration records, and processes of each election are left up to the local election commissions, and this exponentially expands the attack surface for threat actors.

Add to that widespread instances of outdated software and the fact that many election facilities have not been segregated from the internet, leaving everything from voting systems to polling places vulnerable to attack. Even non-voting systems such as voter registration databases, electronic poll books, and websites that report results are vulnerable because they rely on internet connections. Experts warn that a well-timed ransomware attack could lock up computers that hold critical election data until payments are made or systems are restored from backups.

CISA has highlighted key election infrastructure assets most commonly targeted by threats like phishing, ransomware, and distributed denial-of-service (DDoS) attacks that could be a target during the 2024 election cycle.

• Voter information: Threat actors may try to compromise or manipulate electronic poll books and voter registration databases in an attempt to cause confusion or delay voting.
• Websites: Threat actors often target state and local websites with DDoS, phishing, and ransomware attacks.
• Email systems: Threat actors use phishing as the preferred vector with which to target state and local email systems.
• Networks: Threat actors commonly use phishing or malware to infiltrate state and local networks that election offices rely on for regular business functions. Hostile and manipulative nation state actors often make networks the focal point of an attack because networks can be integral in transmitting election results information.

Mitigating Election Security Threats

CISA provides a basic toolkit that almost any organization can implement as a checklist of preventative measures at a minimum. Organizations that score high on CISA's risk assessment survey (which identifies and prioritizes risks and threats to election systems) should consider exploring additional security solutions that go beyond preventative and perimeter measures to mitigate the risks of targeted cyberthreats, because the network will always be the focus of hostile attacks.

CISA specifically calls out election networks as a critical point of protection:

Network infrastructure underpins and enables a variety of functions necessary to the successful conduct of elections. These may include election infrastructure networks that store, host, or process voter registration information and tools, public election websites, and voter lookup, as well as other state and local business functions that may or may not be connected to election networks.

The Role of Network Detection and Response (NDR) in Election Security

One of the principal tools to increase visibility and effectively defend networks is network detection and response (NDR). Threat actors can breach preventative security protocols like firewalls or exploit an unpatched software vulnerability, whether through zero day exploits or phishing attacks. Once an intrusion is successful and the perimeter is breached, it’s only a matter of time before adversaries move laterally across the network to execute ransomware, steal data, or manipulate tallying data. Eliminating blind spots and responding to threats in their earliest stages is critical to minimize impact. NDR tools can detect and stop sophisticated attacks before they do real damage and cause widespread disruption.

NDR alone provides ubiquitous visibility into the networks on which elections are conducted. Even sophisticated EDR tools and agents, in general, cannot be placed on nearly all endpoint voting machines. NDR, properly configured and deployed, will be able to monitor, observe, and detect all attacks propagating on the network, giving defenders the opportunity to stop attackers before they reach their objectives.

The ExtraHop RevealX™ network detection and response platform can play a crucial role in identifying and mitigating cyber threats to election infrastructure in several key ways.

1. Prevent lateral movement across the network: As CISA notes, election systems are often connected to government networks; if a threat actor is able to gain access, they can make their way to other connected assets. RevealX specializes in detecting post-compromise activity like network reconnaissance, privilege escalation, and lateral movement. It can detect living-off-the-land attacks that make use of native functionality to stay under the radar. It can also detect reconnaissance done through MSRPC to query domain admins, session enumeration, and PowerView, as well as find DCSync and PsExec activity that attackers use to move laterally in Windows environments.
2. Help election officials detect bad actors: RevealX can detect anomalous behavior indicative of cyberattacks, such as unauthorized access attempts or suspicious data exfiltration, making it easier to identify attempts to tamper with election infrastructure, steal voter registration data, or install ransomware. For instance, the ExtraHop platform detects and flags network irregularities, including the unique CIFS/SMB WRITE operations and file changes that are associated with ransomware.
3. Highlight suspicious connections: ExtraHop automatically discovers and classifies endpoint devices that are actively communicating over your network, including clients, servers, routers, and gateways. This means RevealX can be used to discover any unauthorized, external, or otherwise suspicious connections to endpoint voting devices or endpoint tallying systems.
4. Accelerate threat detection: National election stakes are high and speed matters. RevealX looks at everything communicating across the network, which helps teams gain complete visibility and enables real-time detection across all assets. Cloud-scale machine learning speeds up the ability to analyze behavior and detect threats. Overall, RevealX can reduce threat detection time by 83%.
5. Streamline investigation and response: RevealX significantly speeds up incident response time, which is a critical capability when the integrity of democratic processes is at stake. RevealX makes it easy to map detections to frameworks like MITRE ATT&CK and gain context into the attack kill chain with related detections, can help speed up investigations with AI-enhanced investigation workflows, and offers mitigation recommendations based on AI-powered mitigation response options.

Safeguarding the integrity of elections in the United States is crucial to the security of the US and the confidence that we have in our federal government. By leveraging advanced cybersecurity tools like RevealX, IT and security practitioners can enhance the resilience of election infrastructure and mitigate the risks posed by foreign interference, vulnerabilities, and sophisticated cyberattacks. As we navigate the 2024 election season, prioritizing election security is paramount to upholding the principles of democracy and ensuring the trust and confidence of the American electorate.