Election Security Hardening Pack

We built the Election Security Hardening Pack because election infrastructure is too critical to rely on fragile, manually maintained security configs. When you're defending ballot tabulation servers, voter registration databases, and election management systems, your threat intelligence pipeline can't break, and your incident response can't lag. We engineered this so you don't have to stitch together MISP feeds, OpenCTI connectors, and OpenBAS simulations by hand.

The Fragmented Threat Landscape of Election Infrastructure

Most election tech stacks are a patchwork of legacy voting machines, web-facing voter portals, and internal databases. You're trying to secure this environment against state-sponsored actors, ransomware groups, and organized crime rings that view election systems as high-value targets. CISA's best practices emphasize hardening enterprise networks and strengthening election infrastructure at little or no cost ^[1]. But "hardening" isn't just a checklist; it's an operational workflow that must run continuously.

Without automated threat intel ingestion, you're blind to election-specific IOCs. You're manually parsing MISP feeds, writing brittle Python scripts for OpenCTI, and hoping your SIEM catches the phishing campaigns targeting poll workers. The CIS Essential Guide ^[6] outlines controls that election officials must implement, but implementing them requires reliable data flows. If your threat intel doesn't flow into your detection engines, your CIS controls are just paper.

We also know you're likely juggling multiple security tools. If you're already using the Incident Response Pack to guide your triage, you still need the raw threat data to feed it. And if you're running vulnerability scans, the OWASP Security Audit Pack helps you find weaknesses, but it doesn't tell you when an attacker is actively exploiting them. You need active threat intel to close that loop.

The Cost of Manual Hardening and Missed Indicators

When your security ops are manual, you bleed time and money. A delayed MISP feed update means your anomaly detection misses a zero-day targeting election software. The Brennan Center defines election resiliency as ensuring that attacks and other disruptive incidents do not impede voters from casting ballots nor prevent election officials from performing their duties ^[8]. If your detection is slow, you fail that resiliency test.

We've seen teams spend weeks stitching together threat intel connectors only to have them drift out of sync. The cost isn't just engineering hours; it's the risk of a compromised audit trail. If you can't prove your logs are tamper-evident and your incident response is automated, you're failing internal controls. A single missed phishing campaign can compromise ballot tabulation servers, leading to federal investigations and loss of public trust.

You need the Compliance Audit Trail Pack to back this up, ensuring your logs meet retention and integrity requirements. You also need the Internal Audit Automation Pack to validate your controls continuously, not just during an annual review. When your audit trails are manual, you can't demonstrate due diligence to state auditors or federal partners.

How a Phased Mandiant/NASS Approach Prevents Tabulation Compromise

Imagine a county election board that adopted a phased approach to security, as recommended by the NASS and Mandiant ^[7]. They started with threat intel ingestion but skipped the simulation phase. When a phishing campaign hit, their OpenCTI connector failed to parse the STIX2 indicators because the schema didn't match the election-specific payloads. Their SIEM ingested the logs, but without OpenBAS attack simulation, they had no baseline for what "normal" looked like for their tabulation servers.

The anomaly detection fired late. By the time they triggered IR, the attacker had already exfiltrated voter data. A public case study from EAC resources highlights the importance of system testing before and after elections ^[3]. If your testing is manual, you're gambling with the election. DHS resources ^[4] also emphasize the need for state, local, tribal, territorial, and campus law enforcement to address threats, which requires clear, automated evidence collection for prosecution.

Automated MISP Ingestion, OpenCTI STIX2 Flow, and Zero-Trust Validation

With the Election Security Hardening Pack installed, your workflow changes. Phase 1 ingests threat intel via a validated MISP feed config. Phase 2 normalizes logs. Phase 3 detects anomalies using baselines from OpenBAS simulations. Phase 4 automates IR. Phase 5 generates audit trails. Phase 6 validates everything.

The misp_feed_config.yaml handles delta_merge to prevent duplicate indicators and sets distribution to ensure only relevant election agencies see the IOCs. The opencti_connector.py uses pycti and stix2 to map election-specific tags to STIX2 malware objects, ensuring your threat intel is structured and queryable. The openbas_scenario.graphql generates attack simulation scenarios, so you can test your detection rules against realistic election threats.

The run_validation.sh script is a gate in your CI/CD. It validates the MISP config against the JSON schema, checks the Python connector syntax, and verifies the GraphQL mutation structure. If any file drifts, the build breaks. We include references/cisa-election-cyber-resilience.md so your AI agent has CISA hardening guidelines offline, and references/threat-intel-architecture.md for the full reference architecture.

We also provide examples/election-incident-event.json, a worked example of a MISP event payload for an election-specific phishing campaign. This helps your team recognize the pattern of attack attributes, tags, and sighting workflows. If you need to handle the evidence collection side of incidents, the E-Discovery Automation Pack integrates with this workflow to preserve chain of custody.

CISA's cybersecurity toolkit ^[2] stresses the need for a sound analytic foundation for managing election security risk. This pack gives you that foundation by automating the ingestion, analysis, and validation of threat data, so you can focus on protecting the election.

What's in the Election Security Hardening Pack

• skill.md — Orchestrates the 6-phase Election Security Hardening workflow, explicitly referencing all templates, scripts, validators, references, and examples by relative path to guide the AI agent.
• templates/misp_feed_config.yaml — Production-grade MISP feed ingestion configuration for election threat intel sources, aligned with MISP Feeds API parameters like delta_merge and distribution.
• templates/opencti_connector.py — Python-based OpenCTI external import connector for ingesting election-specific STIX2 indicators and malware objects using pycti and stix2 libraries.
• templates/openbas_scenario.graphql — GraphQL mutation template for generating OpenBAS attack simulation scenarios from election threat intelligence using obasThreatGenerateScenarioWithInjectPlaceholders.
• scripts/run_validation.sh — Executable bash script that validates MISP config against JSON schema, checks Python connector syntax, and verifies GraphQL mutation structure, exiting non-zero on failure.
• validators/misp_feed_schema.json — JSON Schema definition for validating MISP feed configurations against election security requirements and MISP API constraints.
• references/cisa-election-cyber-resilience.md — Curated CISA/EAC hardening guidelines, zero-trust principles, and supply chain security for election infrastructure, embedded as offline reference.
• references/threat-intel-architecture.md — Reference architecture detailing MISP, OpenCTI, and OpenBAS integration for election incident response, log normalization, and audit trail generation.
• examples/election-incident-event.json — Worked example of a MISP event payload for an election-specific phishing campaign, including attributes, tags, and sighting workflows.

If you want to extend this with autonomous agents, the Developing Autonomous Cybersecurity Agents Pack provides the patterns for building AI-driven SOC automation that can consume these threat intel feeds and act on them.

Install the Pack and Secure the Chain

Stop guessing if your MISP feed is pulling stale indicators. Stop writing brittle Python scripts that break when the STIX2 schema changes. Stop manually validating your configs before you deploy.

Upgrade to Pro to install the Election Security Hardening Pack. We built this so you don't have to. Ship with confidence, backed by CISA guidelines, validated by JSON schema, and automated from threat intel to audit trail.