Welcome to the MS-ISAC!

→ To get started: • Learn how to report an incident at any time to the MS-ISAC SOC
• Add additional staff members to your account
• Submit your public IP ranges and domain space for monitoring
• Create an account on the Malicious Code Analysis Platform (MCAP)
• Complete your registration for access to the secure portal

This guide provides details about

each of the items listed above as well
as additional MS-ISAC services.

1
24x7 Security Operations Center (SOC) MS-ISAC Computer Emergency
Response Team (CERT)

The MS-ISAC Security Operations Center provides → Members are encouraged to report incidents, even
real-time network monitoring, early cyber threat if they are not requesting direct assistance, to
warnings and advisories, and vulnerability improve the situational awareness of the MS-ISAC
identification and mitigation. membership.

The Computer Emergency Our incident response experts can provide:

24x7 Support Response Team is
able to assist with • Emergency Conference Calls
Reporting cybersecurity incidents. • Network & Web Application Vulnerability
Analysis & Monitoring Assessments
• Free Access to Tools to Assess your Configuration
• Forensic Analysis , Malware Analysis
& Log Analysis

→ To report an incident or
• Reverse Engineering
• Mitigation Recommendations
contact the MS-ISAC SOC
for 24x7 assistance: • Cyber Threat Intelligence
• Verbal and written reports are provided
Phone: 1.866.787.4722 following the reported incident

Email: soc@msisac.org

2
MS-ISAC Distribution List → Level 4
4
Level 1, Level 2 & Level 3 + Account on the MS-ISAC’s section
Each organization may have an unlimited number of
of a secure federal portal
contacts added to the MS-ISAC distribution lists to receive

3
communications directly.

The primary contact will receive full access (Level 4) and

we encourage our members to add additional staff to their
account. The primary contact should indicate what level → Level 3
Level 1 & Level 2 + Organization specific notifications To add additional staff, simply send
of access each additional staff member should receive as an email to your account manager
outlined below. (Incident Notifications, Threat Information)
or info@msisac.org with the

2
information below.

Name:

Level of Access:
→ Level 2
Level 1 + MS-ISAC member publications (Weekly Malware IP Email:
and Domain Reports, Monthly Situational Awareness Report,
Cyber Alerts, and Intel Papers) Phone Number:

1
Work Cell Phone Number (if applicable):

Title:

→ Level 1 Physical Mailing Address (Non P.O. Box):

Public information only (Special Discount Buys, Cyber
Advisories, Monthly Newsletters, and National Webcasts)

3
IP Range & Domain Space Vulnerability Management Program (VMP)

The MS-ISAC SOC can monitor your public IP range The Vulnerability Management Program is an MS-ISAC
and domain space as part of your membership. The initiative that works off of the domains provided by your
MS-ISAC 24x7 SOC will notify your organization via organization. The objective of this program is to alert
phone or email regarding evidence of: MS-ISAC members on potential threats and vulnerabilities
to and serve as a reminder to keep Internet facing systems
patched and up to date.
• Web defacements
• System compromises
What Data Are We Collecting?
• Compromised user credentials
• Server type & version (IIS, Apache, Nginx, etc.)
• IPs connected to a malicious command
and control server • Web Programming Language & version (PHP, ASP, etc.)
• Content Management System & version
• Indicators of compromise from MS-ISAC
(WordPress, Joomla, Drupal, etc.)
network monitoring (Albert)

VMP
• IPs connected to sinkholes or honey nets

→ Please submit your IP range and
domain space to: soc@msisac.org.
IPs are accepted in CIDR notation;
wildcard domains are not allowed.
4
Malicious Code Analysis Platform (MCAP)
→ This platform is available to all members
at no cost. Access can be obtained by
The Malicious Code Analysis Platform (MCAP) is a web
based service that enables members to submit and sending and email to mcap@cisecurity.org
analyze suspicious files in a controlled and non-public using the following format:
fashion including:
• Executables Subject Line: MCAP – Account Request
• Dll’s First Name:
• Documents Last Name:
• Quarantine Files Name of Organization:
• Archives Email Address:
• URLs

MCAP → Is your organization a recipient

of suspicious emails?

??
MS-ISAC members can receive analysis
of suspicious emails by forwarding or
sending the emails as an attachment to
?
suspiciousemail@cisecurity.org.