Sitroom Workflow#

Slack Coordination

The Slack Channel “soc_elections_coordination” coordinates operations between the EI-ISAC, CTI, and SOC.

CTI and SOC personnel are responsible for responding to member reports in the sitroom and assisting with removing attendee rights. At least one SOC/CTI staffer should continually monitor the room. If an analyst needs to step away from their computer, they must coordinate with other staff to ensure continued room coverage.

Every hour, export a copy of the chat (if there are new messages) into a document using the file path provided before the election. See Custom Chat Pod for more information on how to export the chat.

If inappropriate content is put into the chat (doxxing, malicious links, etc.), save a copy of the chat and clear the chat as quickly as possible (select the menu button for the chat pod ico1 and click “clear chat.”)

If there are extended periods with no reported activity, room staff should periodically (every 2-3 hours) post the following message:

Activity Message

As of <time>, the EI-ISAC has no incidents to report.

Automatic Presenter Role#

../_images/presenter_rights.png

When an attendee moves into the sitroom, they gain presenter role access rights, as shown to the right. As of March 2023, this is a default feature of Adobe Connect and cannot be changed.

It is essential to immediately remove these rights, as attendees can edit the note pods and “stop sharing” in the share pods.

Removing Presenter Rights

To remove these rights, you must be in list view AND the same room as the attendee.

../_images/presenter_list.png

In the list view, select the attendee’s name, and uncheck each of the options shown to the right.

Selecting “enhance rights” will open a new window displaying additional rights to revoke.

Acknowledging Reports#

  • Acknowledge the message in the both the Open Chat and Private Chat, even if the member report is “for your awareness,” and no action is required.

  • If a report is shared in the private chat, acknowledge the report and also share an anonymized version of the report in the Open Chat (ex: “A local election office reported scanning from…”).

  • If the report requires a follow-up, let the attendee know in the chat that you will contact them via email (or phone) for further detail. Do not ask them to send an email, and do not ask them to put more detail in the chat.

  • Create a ticket for the report.

    • The agency should be the attendee’s agency (If they are a Federal partner, it should be the agency related to the report).

    • Elections Related: YES.

    • Ticket Type: likely “Reported: <Most accurate option to report.>”

    • Subject: “SIT ROOM REPORT: xxxx”

  • Reach out to the attendee no later than one hour after their original message. The email should use the same subject line as the ticket and CC the following contacts:

Updating The IOCs and Highlights Pods#

The IOCs Pod, and Highlights Pod are updated after every member report, including reports sent via email or phone call. Member-identifying information is removed from this pod (this makes the content more shareable). Descriptions such as “a local election office” or “a state election office” are used to give context to who reported the incident.

IOCs should be scrubbed of context (i.e., do not identify which election office they came from), and added to the correct tab in the excel document (hashes, IPs, domains, etc.). Prior to adding an updated document, delete the old one (hover over it and click the “x”).

Sample Highlight Pod Message

“3/7/2023, 7:00am ET: A local election office reported a DDoS attack using TCP Port X.”

The “As of” time in both pods should be updated whenever the content is updated. The time is updated at the top of the hour if there have been no reports.

High Severity Events#

A report is deemed ‘High Severity’ if it is something critical or an emergency (i.e., active malware infection, ransomware, election infrastructure down, successful compromise, etc.). Handle these events similarly to MS-ISAC Critical or Emergency events.

  • Gather as much additional information as possible. CIRT provides a confluence page with guidelines for questions.

  • Ticket as appropriate.

  • Send summary to CIRT with electionops and LNO cc’ed on the email.

  • If the report comes during “off hours,” it is up to the SOC Manager or POC to determine to call up CTI-elections or the EI-ISAC.