Cybersecurity Toolkit and Resources to Protect Elections
A toolkit including free tools, services, and resources provided by CISA, JCDC members, and others across the cybersecurity community.
As the lead federal agency responsible for national election security, CISA—through the Joint Cyber Defense Collaborative (JCDC)—has compiled a toolkit of free services and tools intended to help state and local government officials, election officials, and vendors enhance the cybersecurity and cyber resilience of U.S. election infrastructure.
How To Use This Toolkit
FIRST, use the Election Security Risk Profile Tool to assess your risk. The tool, developed by CISA and the U.S. Election Assistance Commission, can help state and local election officials understand the range of risks they face and how to prioritize their mitigation efforts. With this tool, you can:
- Address areas of greatest risk.
- Ensure that technical cybersecurity assessments and services are meeting critical needs.
- Gain a sound analytic foundation for managing election security risk with key partners at the federal, state, and local level.
SECOND, review the items below. These are the election infrastructure assets most commonly targeted byphishing, ransomware, and distributed denial-of-service (DDoS) attacks.
- Voter information: Threat actors may try to compromise or manipulate electronic poll books and voter registration databases in attempt to cause confusion or delay voting.
- Websites: Threatactors often target state and local websites with DDoS, phishing, and ransomware attacks.
- Email systems: Threat actors use phishing as the preferred vector with which to target state and local email systems.
- Networks: Threat actors commonly use vectors, such as phishing or malware, to infiltrate state and local networks that election offices rely on for regular business functions.
THIRD, review this toolkit for the tools and services that correspond to the election infrastructure asset(s) you need to secure. The services and tools are aligned with the Protect and Detect functions of the NIST Cybersecurity Framework. Protect enables outlines safeguards to ensure the delivery of critical services and Detect defines activities to identify the occurrence of a cybersecurity event.
Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.
Preliminary Actions to Defend Against Common Cyber Threats:
Before using the toolkit to address specific threats, take the following actions to establish your cybersecurity baseline:
- Implement free CISA Cyber Hygiene Services Vulnerability Scanning.
- Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
- Follow password best practices, e.g., multifactor authentication enforcement, password manager.
- Make and secure offline backups of data.
Once you understand your risks and capability gaps, use the below resources to learn more about how you can better protect against cybersecurity threats.
How Resources Are Categorized
The resources featured in this toolkit are grouped based on three threat categories:
Phishing
Ransomware
Distributed Denial of Service
Officials seeking to secure election infrastructure should carefully review each section to identify tools and services appropriate to address their primary risks.
The services and tools are aligned with the Protect and Detect functions of the NIST Cybersecurity Framework. Protect outlines safeguards to ensure the delivery of critical services and Detect defines activities to identify the occurrence of a cybersecurity event.
Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.
Category 1: Phishing
Step 1: Understand Phishing Attacks
Phishing attacks use email, text messaging, social media, and/or malicious websites to solicit personal information or to trick individuals into downloading malicious software. Cyber threat actors often use elections and political events to capture attention and lure recipients into clicking a link or downloading a file that contains malicious code. Election officials are often required to open email attachments, which could contain malicious payloads, to facilitate election administration processes (e.g., absentee ballot applications).
Step 2: Protect Against Phishing Attacks
Election Security Risk in Focus: Phishing
CISA’s free training on phishing details phishing types, detection, and impacts with an emphasis on election infrastructure-related risks and available resources.
Cisco OpenDNS Home
OpenDNS blocks phishing websites that try to steal a user/organization identity and login information by pretending to be a legitimate website.
Cloudflare DNS resolver with malware filter
Cloudflare DNS resolver with malware filter is a private and fast DNS resolver that prevents user/organization devices from accessing known malware threats.
Quad9
Quad9’s DNS platform is designed to prevent computers and devices from connecting to malware or phishing sites.
Secureworks PhishInSuits
The Secureworks Adversary Group and Counter Threat Unit research team developed the PhishInSuits tool to conduct security assessments and test control frameworks against scenarios such as business email compromise (BEC) attacks.
Step 3: Detect Phishing Attacks
Google Safe Browsing
This toolset identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.
CrowdStrike Hybrid Analysis
Inspects items using 70+ antivirus scanners and URL/domain blocklisting services, to extract signals from the studied content. Users can select files from computer via the browser and send to VirusTotal.
Google VirusTotal
VirusTotal inspects items with more than 70 antivirus scanners and URL/domain blocklisting services, in addition to a variety of other tools, to extract signals from the studied content.
Category 2: Ransomware
Step 1: Understand Ransomware Attacks
Ransomware is malicious software designed to deny access to computer systems or data. In a ransomware attack, the ransomware actor encrypts systems and/or data, rendering them inaccessible to owners and users. In some cases, data is also taken (exfiltrated) from the user’s computer or network. The actor demands payment to decrypt the systems and/or data. However, paying this ransom does not guarantee the user will regain access to their systems and/or data; these assets can be permanently lost or leaked.
For elections, a ransomware attack could leak or deny access to voter registration data, unofficial results reporting, and other sensitive information. It could also inhibit access to important election systems during critical operational periods, such as registration and candidate filing deadlines.
Step 2: Protect Against Ransomware Attacks
CISA Free Ransomware Services
CISA offers free services and training to protect organizations against ransomware.
Microsoft controlled folder access/ransomware protection in Windows
Controlled folder access in Windows helps protect against threats like ransomware by safeguarding folders, files, and memory areas on the device from unauthorized changes by unfriendly applications.
Microsoft Windows Backup and Restore
This tool sets up automatic backups of Windows 10 and 11 operating systems to an external drive or network location.
Zscaler’s Ransomware Risk Assessment
Assesses an organization’s ability to 1. counteract a ransomware infection and its spread and 2. to resume operations after an infection. Scans defenses against ransomware-specific intrusion, lateral movement, and exfiltration methods.
Google Drive for desktop
This tool backs up files on Windows or Mac computers. Note: It does not allow users to restore their system; it only saves copies of files.
Google Chrome OS and Chromebooks
Chrome OS is a cloud-first platform that provides protection against ransomware by default through built-in proactive security measures such as safe browsing practices, blocking executables, and automatic data and file backups.
Microsoft Defender Antivirus in Windows
Built into Windows 10 and 11 and in versions of Windows Server, this tool is used to protect and detect endpoint threats, including file-based and fileless malware.
Cisco ClamAV
An open-source antivirus engine used in a variety of situations, including email and web scanning and endpoint security. Provides a flexible, scalable multithreaded daemon, a command-line scanner, and an advanced tool for automatic database updates.
Step 3: Detect Ransomware Attacks
Google Security Command Center
This tool helps users strengthen their security posture by evaluating their security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities, and threats; and mitigating and remediating risks.
Microsoft Safety Scanner
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. It can run scans to find malware and try to reverse changes made by identified threats.
AWS GitHub Security Assessment Tool
An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.
Cisco Snort
This network intrusion detection and prevention system conducts traffic analysis and packet logging on Internet Protocol (IP) networks.
Category 3: Distributed Denial of Service (DDoS) Attacks
Step 1: Understand DDoS Attacks
DDoS attacks on election infrastructure can hinder access to voting information. A DDoS attack occurs when malicious cyber actors flood a public-facing, internet-accessible server with requests, rendering the targeted server slow or inaccessible. This prevents users from accessing online resources, such as web pages and online accounts, and may disrupt an organization’s activities for a period of time, potentially hindering voters’ ability to access voting information or unofficial election results.
For more information on DDoS attacks, please see CISA’s DDoS Quick Guide.
Step 2: Protect Against DDoS Attacks
Cloudflare DDoS Protection
Cloudflare provides unmetered and unlimited DDoS protection through their Autonomous DDoS Protection Edge, which automatically detects and mitigates DDoS attacks.
Cloudflare DNS
Cloudflare provides fast and secure managed Domain Name System (DNS) as a built-in service on its network. When users/organizations use Cloudflare DNS, all DNS queries for user/organization domains are answered by Cloudflare’s global Anycast network.
Cloudflare HTTPS Encryption (Secure Socket Layer [SSL]/Transport Layer Security [TLS])
This tool offers free SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust.
Google reCAPTCHA
reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on a user’s website.
Google Jigsaw Project Shield
Project Shield is a free service that defends news, human rights, and election-monitoring sites from DDoS attacks.
Lumu Technologies Lumu Free
Lumu Free offers continuous monitoring across the network by leveraging multiple sources of metadata (DNS, proxy, firewall). Organizations can uncover contact with malicious infrastructure, enabling threat mitigation and attack prevention.
Let's Encrypt
This tool provides a free digital certificate to enable HTTPS (SSL/TLS) for websites. While Let’s Encrypt provides a free way to enable HTTPS, its lack of enterprise support may require internal support from jurisdictions.
Step 3: Detect a DDoS Attack
Cloudflare Web Analytics
Cloudflare’s built-in analytics give users/organizations deeper insights into their traffic patterns, threats observed (and blocked), and other information found in the dashboard.
Cloudflare Logs
Cloudflare provides access to detailed logs of HTTP requests for domain. Logs are typically used for debugging, identifying configuration adjustments, and creating analytics.
Cloudflare Rate Limiting
Cloudflare Rate Limiting automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain.
Additional CISA & Partner Cybersecurity Resources
In addition to this toolkit, CISA offers other election cybersecurity resources, such as guidance documents, reports, infographics, and free basic cyber hygiene tools:
- Election Infrastructure Security webpage. CISA’s primary hub for election security announcements, resources, and materials.
- Free Cybersecurity Services and Tools webpage. A general toolkit of free cybersecurity services compiled by CISA to help critical infrastructure owners and operators further advance their cybersecurity capabilities.
- CISA Tabletop Exercises Packages. A comprehensive set of resources designed to assist stakeholders in conducting their own exercises.
- Automated Indicator Sharing. Automated Indicator Sharing is a CISA capability that enables the real-time exchange of machine-readable cyber threat indicators and defensive measures.
- Cyber Guidance for Small Businesses. CISA has compiled the top cybersecurity tasks for IT leads and their staff, including enforcing multifactor authentication for all users, keeping systems patched, and monitoring CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Enhancing the cybersecurity and cyber resilience of U.S. election infrastructure is a partnership; CISA’s election security partners offer the following free resources.
MS-ISAC and EI-ISAC Resources
The Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) provide no-cost services to secure U.S. election infrastructure. MS-ISAC is the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the EI-ISAC supports the rapidly changing cybersecurity needs of U.S. elections offices.
Membership in the Multi-State ISAC is free and open to all state, local, tribal, and territorial government organizations.
Membership in the Elections Infrastructure ISAC is free and open to all state, local, tribal, and territorial government organizations that support U.S. elections.
- EI-ISAC Membership Registration
- 24/7 Security Operations Center (SOC) and Cyber Incident Response Services
- SecureSuite Membership
- MS-ISAC Malicious Code Analysis Platform (MCAP)
- MS-ISAC Real-Time Indicator Feeds
- Albert Network Monitoring
U.S. Election Assistance Commission
Global Cyber Alliance (GCA)
Center for Internet Security
Additional Tools for Election Security
The following tools and services can help:
- Reduce the likelihood of a damaging cyber incident.
- Quickly detect a potential intrusion.
- Support preparation and response efforts if an intrusion does occur.
- Maximize an organization’s resilience to a damaging cyber incident.
Microsoft AccountGuard
Microsoft AccountGuard is a cybersecurity service that adds an extra layer of protection against Nation-State sponsored attackers to elections organizations. AccountGuard protects both the professional and personal email accounts of staff.
Cloudflare Anycast Content Delivery Network
The Cloudflare Anycast Content Delivery Network quickly routes incoming traffic to the nearest data center with the capacity to process the request efficiently, handling surges in web traffic due to registration deadlines and election result updates.
Cloudflare Web Application Firewall
The Cloudflare Web Application Firewall (WAF) provides both automatic protection from vulnerabilities and the flexibility to create custom rules.
Google GRR Rapid Response
GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.
Microsoft BitLocker for Windows
This tool encrypts Microsoft Windows systems.
Microsoft Windows Malicious Software Removal Tool
This tool is released by Microsoft on a monthly basis as part of Windows Update or as a stand-alone tool. It can be used to find and remove specific prevalent threats and reverse the changes they have made.
Guardicore Infection Monkey
Infection Monkey is an open-source tool for breach and attack analysis that tests a data center’s resiliency to perimeter breaches and internal server infections.
Cloudflare - Zero Trust Products
Cloudflare offers educational resources and guides on implementing Zero Trust security principles, its benefits, and practical steps for organizations to adopt Zero Trust architectures to enhance their cybersecurity posture.
Recorded Future Express and Recorded Future Sandbox
Recorded Future offers several free cybersecurity tools and resources to aid organizations in enhancing their security posture; stay informed about emerging threats, vulnerabilities, and attack techniques; and provide insights into threat actors.