Home > Tips & Guidelines > Cyber Alert Threat Levels > Multi-State ISAC Procedures and Protocols for Cyber Alert Indicator

Multi-State ISAC Procedures and Protocols for Cyber Alert Indicator


What is the Alert Indicator?

The Alert Indicator shows the current level of malicious cyber activity and reflects the potential for, or actual damage.  The indicator consists of 5 levels:




At this level, insignificant or no malicious activity has been identified.


Examples:

  • Credible warnings of increased probes or scans.
  • Infected by known low risk malware
  • Other like incidents.
  • Normal activity with low level of impact


Actions:

  • Continue routine preventative measures including application of vendor security patches and updates to anti-virus software signature files on a regular basis.
  • Continue routine security monitoring.
  • Determine baseline of activity for state.
  • Ensure personnel receive proper training on Cyber Security policies and security best practices.


Notification:

  • Notification via the Multi-State ISAC’s web site will be done concurrently with the Alert Level change.

Alert Indicator Blue or Guarded

At this level, malicious activity has been identified with minor impact.

Examples:

  • Change in normal activity with minor level impact
  • A vulnerability is being exploited and there has been minor impact.
  • Infected by malware with the potential to spread quickly.
  • Compromise of non-critical system(s) that did not result in loss of sensitive data.
  • A distributed denial of service attack with minor impact


Actions:

  • Continue recommended actions from previous level.
  • Identify vulnerable systems and implement appropriate counter-measures.
  • Identify malware on system and remediate accordingly.
  • Data exposure with minor impact.
  • When available, test and implement patches, install anti-virus updates, etc. in next regular cycle.
  • Contact MS-ISAC for any additional guidance.


Notification:

  • Notification via Multi-State ISAC’s web site will be done concurrently with the Alert Level change.


Alert Indicator Yellow or Elevated

At this level, malicious activity has been identified with a moderate level of
damage or disruption.

Examples:

  • An exploit for a vulnerability that has a moderate level of damage.
  • Compromise of secure or critical system(s)
  • Compromise of systems containing sensitive information or non-sensitive information.
  • More than one entity (agency) affected in your network with moderate level of impact.
  • Infected by malware that is spreading quickly throughout the Internet with moderate impact.
  • A distributed denial of service attack with moderate impact.


Actions:

  • Continue recommended actions from previous levels.
  • Identify vulnerable systems.
  • Increase monitoring of critical systems.
  • Data exposure with moderate impact
  • Contact MS-ISAC SOC for additional guidance.
  • If this event is APT activity, steps other than the ones listed must be taken. Please contact the MS-ISAC SOC for guidance.
  • Immediately implement appropriate counter-measures to protect vulnerable critical systems.
  • When available, test and implement patches, install anti-virus updates, etc. as soon as possible.


Notification:

  • Notification via Multi-State ISAC’s web site will be done concurrently with the Alert Level change
  • Depending on the severity of the event, there is a possibility of a conference call with the membership.



Alert Indicator Orange or High

At this level, malicious activity has been identified with a major level of
   damage or disruption.

Examples:

  • Malicious activity impacting core infrastructure.
  • A vulnerability is being exploited and there has been major impact.
  • Data exposed with major impact.
  • Multiple system compromises or compromises of critical infrastructure.
  • Attackers have gained administrative privileges on compromised systems.
  • Multiple damaging or disruptive malware infections.
  • Mission critical application failures but no imminent impact on the health, safety or economic security of the State.
  • A distributed denial of service attack with major impact.


Actions:

  • Continue recommended actions from previous levels.
  • Contact MS-ISAC SOC for additional guidance.
  • If this event is APT activity, steps other than the ones listed must be taken. Please contact the MS-ISAC SOC for guidance.
  • Closely monitor security mechanisms including firewalls, web log files, anti-virus gateways, system log files, etc. for unusual activity.
  • Consider limiting or shutting down less critical connections to external networks such as the Internet.
  • Consider isolating less mission critical internal networks to contain or limit the potential of an incident.
  • Consider use of alternative methods of communication such as phone, fax or radio in lieu of e-mail and other forms of electronic communication.
  • When available, test and implement patches, anti-virus updates, etc. immediately.


Notification:

  • Notification to the Multi-State ISAC via telephone or secure portal e-mail will be given when a State upgrades its Alert Level to Orange (High).
  • Notification via the Multi-State ISACs™ web site will be done concurrently with the Alert Level change
  • Notification via secure portal e-mail will be sent to the States when any state or the national alert level is raised to Orange (High).
  • A conference call with the membership will occur as soon as possible but no later than 24 hours of the alert level change.



Alert Indicator Red or Severe

 At this level, malicious activity has been identified with a catastrophic level
 of damage or disruption(s).

Examples:

  • Malicious activity results in widespread outages and/or complete network failures.
  • Data exposure with severe impact.
  • Significantly destructive compromises to systems, or disruptive activity with no known remedy.
  • Mission critical application failures with imminent impact on the health, safety or economic security of the State.
  • Compromise or loss of administrative controls of critical system.
  • Loss of critical supervisory control and data acquisition (SCADA) systems.


Actions:

  • Continue recommended actions from previous levels.
  • Contact MS-ISAC SOC for additional guidance.
  • If this event is APT activity, steps other than the ones listed must be taken. Please contact the MS-ISAC SOC for guidance.
  • Shutdown connections to the Internet and external business partners until appropriate corrective actions are taken.
  • Isolate internal networks to contain or limit the damage or disruption.
  • Use alternative methods of communication such as phone, fax or radio as necessary in lieu of e-mail and other forms of electronic communication.


Notification:

  • Notification via secure portal e-mail, telephone, pager, or fax will be given when a State upgrades its Alert Level to Red (Severe).
  • Notification via the Multi-State ISAC's™ web site will be done concurrently with the Alert Level change.
  • Notification to the States via secure portal e-mail or telephone to set up conference call when the Multi-State ISAC upgrades the national alert level to Red (Severe).
  • A conference call with the membership will occur as soon as possible but no later than 24 hours of the alert level change.