New Cyber Threat Intelligence Grid Aims to Connect Cook County, Ill., Municipalities

The new Cook County Cyber Threat Intelligence Grid lets municipalities pool information on virtual "bad actors."

by / December 7, 2016

Seeing a gap in its threat intelligence and recognizing safety in numbers, the nation's second-largest county is rolling out a new platform aimed at deputizing municipalities in the war on cybercrime, officials announced Wednesday, Dec. 7.

In October, cities and villages in the northeastern Illinois region were given access to the Cook County Cyber Threat Intelligence Grid, a collaboration between the Cook County Department of Homeland Security and Emergency Management (DHSEM) and Redwood City, Calif.-based Anomali, a provider of market-leading threat intelligence platforms.

About 15 of 143 Cook County municipalities are in various stages of joining; three, chosen in part for their locations throughout the county, are confirmed to have done so to date. One village official said he was "excited" by the grid's ability to let cities do more even in what he called the "pilot phase."

The ultimate goal is a stronger, united front against malware, distributed denials of service, ransomware and other cybercrime, Cook County Chief Information Security Officer (CISO) Ricardo Lafosse told Government Technology.

It's part of the county's three-year strategy to build out its threat intelligence program and was prompted in part by discussions with the federal Department of Homeland Security about the difficulties of two-way communication.

"From a national level, they push down alerts, but having two-way communication they also struggled with," said Lafosse, noting the county's own gap in threat intelligence also centered on information and communication. "We would investigate these threats; however, we did not have additional information to make informed decisions."

Officials chose Anomali, which created a cyberthreat exchange in the health-care industry called the Health Information Trust Alliance Cyber Threat XChange, to provide the platform because it was the best fit, Lafosse said. DHSEM discovered value in its automating tools and ability to push information out to Cook County cities and villages, he said, many of which don't have formal information security systems.

Discussions between Lafosse and Colby DeRodeff, Anomali co-founder and chief strategy officer, began roughly two-and-a-half years ago, DeRodeff said, adding that the platform was envisioned as a safety net for munis with varying security levels.

"If one of those organizations has a breach or is compromised, that’s a huge risk because they’re all threatened. What this allows for is the organizations that don’t have so many resources or don't have as much maturity as others to benefit," DeRodeff said. "That can trickle down and provide a much better level of security for all organizations."

The project's cost wasn't released; Lafosse said only that it it was part of the county's budget to build out its information security threat intelligence program.

Peter Schaak, IT director for the Village of Schaumburg, said there'd been no cost to join for his municipality, where officials have audited the grid and will get training in mid-December on how to use it.

DeRodeff compared its architecture, a hybrid cloud and on-premises design accessible via mobile, desktop and laptop browsers, to Google Plus and LinkedIn. A key, he said, is its utilization of groups called trusted circles.

"These are trusted communities, and organizations become a member of these communities," he said, noting circles could link municipalities by area or region — or even by the first letters of their names.

As with some portal designs, members can create profiles, run searches and ask to be alerted to certain types of information.

County officials can disseminate information to circles or individual members and members can also share what they know or have learned. Other agencies, like the federal DHS and the FBI, may also be allowed to publish bulletins.

"From there, the goal is to really operationalize the intelligence," DeRodeff said. "Having intelligence information is interesting and it's good to know what is going on, but actually leveraging intelligence as part of your operational security practices is where you see the most [value]."

The grid's objective is granular intelligence that goes past merely identifying attackers' IP addresses to probe their backgrounds and histories.

Municipalities that have joined early are reporting they like being able to sign up for keyword alerts. The grid also allows them to set up infrastructure alerts — which can inform cities if their government Web addresses end up on third-party websites.

James Frank, IT director at the city of Berwyn, said in a statement that joining the grid will give his city "a much better ability to rapidly pinpoint cyberthreats" and work to neutralize them.

Schaumburg's Schaak told Government Technology that the grid's sophistication in fighting cyberthreats will rest with the municipalities that join and the information they provide. That said, he praised its regional focus.

"A threat in San Francisco has much less significance to me than a threat in Hoffman Estates," he said, referring to a Cook County border village partially in neighboring Kane County. "I’m anxious to have this platform being used by more people and have people giving us the heads-up of a problem before it becomes a problem. You can never be too secure."

Theo Douglas Staff Writer

Theo Douglas is a staff writer for Government Technology. His reporting experience includes covering municipal, county and state governments, business and breaking news. He has a Bachelor's degree in Newspaper Journalism and a Master's in History, both from California State University, Long Beach.