MS-ISAC Reaches 1,000th Member

The Multi-State Information Sharing and Analysis Center (MS-ISAC) is celebrating its 1,000th member – the Village of Boys Town in the state of Nebraska. A unique village, the Boys Town municipality serves a mission of providing care for young men and women through special school programs, foster family services, and more. Since 1917, Boys Town’s mission has been to give at-risk children and families the love, support and education they need to succeed.

This entry was posted in MS-ISAC on September 07, 2016 by Kimberly K

2016 MS-ISAC Mid-Year Review

By: Ben Spear, Senior Cyber Intelligence Analyst

In order to provide greater insight into the state, local, tribal, and territorial (SLTT) cybersecurity landscape we’re sharing some of the insights MS-ISAC gained from the first six months of 2016.

Monitoring Analysis

In the first six months of 2016, MS-ISAC monitored devices generated in excess of 2.76 trillion records for analysis, which resulted in over 20,000 actionable alerts to members. A large portion of these alerts were related to malware infections, with the top culprits being ransomware and click fraud malware associated with the Angler Exploit Kit (EK). As depicted in the chart below, June’s average weekly number of notifications fell to nearly half the activity observed at the start of the year and one-third of the peak activity observed in late March. The blue dashed line shows the overall downward trend in actionable malicious activity.

This entry was posted in MS-ISAC on August 22, 2016 by Kimberly K

Ransomware: Facts, Threats, and Countermeasures

By: Stacey Wright (Intel Program Manager) & Ben Spear (Senior Cyber Intelligence Analyst)


Ransomware is a type of malware that has become a significant threat to U.S. businesses and individuals during the past year. General ransomware incidents surged in 2016 and continue to infect victims with overwhelming success. Most of the current ransomware variants encrypt files on the infected system/network (crypto ransomware), although a few variants are known to erase files or block access to the system using other methods (locker ransomware). Once access to the system is blocked, the ransomware demands a ransom in order to unlock the files, frequently $200 - $1000 in bitcoins, though other currencies, gift cards, and ransoms of several thousand dollars are occasionally reported. Ransomware variants almost always opportunistically target business and home users, infecting an array of devices from computers to smartphones.

Victims are at risk of losing their files, but may also experience financial loss due to paying the ransom, lost productivity, IT costs, legal fees, network modifications, and/or the purchase of credit monitoring services for employees/customers.

This entry was posted in ransomware, MS-ISAC on August 17, 2016 by Kimberly K

MS-ISAC Members: The Most Valuable MS-ISAC Resource

By: Jill Fraser, Intelligence & Analysis Working Group Member

In becoming an MS-ISAC member, the most valuable resource we receive is access to other MS-ISAC members. While there is unarguably a tremendous value in the cyber intelligence and analytics that the MS-ISAC provides, we are obtaining as much value from the intelligence, experience, and relationships the MS-ISAC enables us to build with other members.

This entry was posted in MS-ISAC on August 10, 2016 by Kimberly K

Account Compromises Impacting SLTT Governments

by Meghan Rioux, SOC Analyst


In 2015 the Multi-State Information Sharing and Analysis Center (MS-ISAC) identified approximately 25 online posts, per month, that contained email addresses and passwords belonging to U.S. state, local, tribal and territorial (SLTT) government employees. These posts generally contained plaintext email addresses and passwords, although they sometimes contained hashed passwords or other information. MS-ISAC identified the account information as belonging to SLTT government employees based on the domains in the email addresses. In almost all instances, the leaked credentials were from third-party websites where an SLTT government employee had used their official email address to login to or receive emails from the third-party and it was data from the third-party that had been posted online, not data from the SLTT government.

This entry was posted in Account Compromise, Hashed Data, MS-ISAC, SLTT on January 21, 2016 by MS-ISAC

What is Cyber Threat Intelligence?

by Intel & Analysis Working Group

This blog is the first of several by the Multi-State Information Sharing and Analysis Center’s (MS-ISAC) Intel & Analysis Working Group (I&AWG) on Cyber Threat Intelligence and intelligence analysis. Starting with this blog we will explore what is cyber threat intelligence, and examine what it is used for, its value to MS-ISAC members, the difficulties inherent in developing cyber threat intelligence, and the varying components of intelligence, such as Words of Estimative Probability.

Cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information. Like all intelligence, cyber threat intelligence provides a value-add to cyber threat information, which reduces uncertainty for the consumer, while aiding the consumer in identifying threats and opportunities. It requires that analysts identify similarities and differences in vast quantities of information and detect deceptions to produce accurate, timely, and relevant intelligence.

This entry was posted in Uncategorized, intelligence analysis, cyber threat intelligence, MS-ISAC on October 26, 2015 by Amanda B