Empowering Local Governments Through Expert Cybersecurity Support

Who We Are
The NCLGISA Cybersecurity Strike Team is a dedicated group of senior IT leaders from NC counties, municipalities, community colleges, and public school units. With over 175 years of collective public sector IT experience, our volunteers stand ready to assist fellow public entities in overcoming cybersecurity challenges.

Our Mission
To provide rapid on-site support during cyber incidents, such as ransomware attacks and business email compromises, ensuring critical operations can quickly resume. We transform our incident response experiences into valuable training and educational resources to strengthen the cybersecurity posture of local governments across North Carolina.

Why We Are Needed
From 911 operations to sanitation service delivery, technology has become the mission-critical backbone for providing essential government services. However, this reliance on network connected systems also makes local governments prime targets for cyberattacks. The frequency and sophistication of these attacks are increasing, necessitating expert intervention to mitigate their impact.

Our Impact
Since our inception, the NCLGISA Cybersecurity Strike Team has:
--Responded to over 100 cyber incidents in the past five years
--Become a core member of the NC Joint Cybersecurity Task Force, along with the NC National Guard CSRF, NCDIT ESRMO, NCEM, and key federal agency partners to provide comprehensive incident response
--Delivered tailored support with a deep understanding of local government systems and procedures

Our Services
--Immediate Incident Response : Providing on-site support to manage and recover from cyber incidents
--Proactive Scanning Services: Offering Nessus external weekly scans, Shodan vulnerability scans and alerting, RunZero scans on demand, and other NCLGISA-funded tools
--Expert Guidance: On-demand consulting on cyber-related questions, concerns, tools, and techniques
--Training & Education : Developing materials and sessions to improve cybersecurity awareness and practices across NC governmental entities
--Collaboration : Working with state and national cyber response teams to enhance our response capabilities

Join Us in Protecting Our Communities
There are many skills needed on a cybersecurity response team, from effective communication, project management, forensics, threat hunting, networking, and basic IT operations. If you are ethical, analytical, focused, dedicated, solution-oriented, slightly stubborn, calm under pressure, flexible, have a sense of humor, open to constructive feedback, able to commit to working on-site with an impacted entity for a 48 hour operational shift if needed, and love to help out others in need, we have a place for you! Cyber experience is awesome, but not required.

Support the NCLGISA Cybersecurity Strike Team in safeguarding North Carolina’s local governments. Together, we can ensure a resilient and secure digital infrastructure for all public sector entities.

 

Welcome to the War Room: A Typical Incident Response

Emerging or Undefined Issue
Strike Team requests key information and access to determine what may be occurring, such as: access to log sources; firewall configs; EDR/MDR portal access; network management tools; CyberTriage forensic captures of key endpoints (ie domain controllers, critical servers, etc); and other items as determined by event.

Confirmed Significant Cyber Incident
If the incident has been confirmed as a significant event and JCTF services are requested, we mobilize our team, assess availability, and develop a schedule for “boots on the ground” services, while also requesting the 5 items noted above from the impacted entity.

Goals
--On-site @ impacted entity within 12-24 hours of the initial scoping call, based on entity request
--Team members located in closest proximity will be prioritized for mobilization
--Complete on-site assistance within 1 week of initial response
--Additional Strike Team tools are deployed to allow for remote assistance

Workload
--The collective team typically works ~200 hours per significant incident.
--There is an expectation for all team members to participate throughout the incident.
--Weekends, holidays, and after-hours are expected and within scope to get the job done.

Typical Strike Team Incident Staffing
Days 1 & 2:
--Two (2) Strike Team members on-site (a Strike Team leader + one additional team member)
--Google Meet link is established and any team members not on-site will participate remotely as able
--Nightly 9 pm sync calls to outline tasks for the next operational period
--12-16 hour operational periods when on-site

Days 3-7:
--1-2 Strike Team members on-site
--Google Meet link is established and any team members not on-site will participate remotely as able
--Nightly 9 pm sync calls to outline tasks for the next operational period
--12-16 hour operational periods when on-site

Throughout incident:
--Team members not on-site will assist with reviewing CyberTriage images, logs, etc. to perform “sys admin forensic review/threat hunting”, as well as use remote access tools to build out VLANs, apply GPOs, etc., as needed.
--During an incident, the strike team syncs every evening for ~2 hours to review logs and discuss game plans for rebuild during incident response.

All travel, lodging, meals, etc., associated with Strike Team deployment are covered by NCLGISA Strike Team budget, so there is no financial impact to your organization or you personally.

Participation on the Strike Team requires a significant time commitment. We ask that all team members receive written authorization to participate from their senior leadership, as documented in the Strike Team consent form.

Submit Your Interest Here