Automated Indicator Sharing
Automated Indicator Sharing (AIS) is a US Department of Homeland Security (DHS) initiative designed to give participants "a way of staying proactive" with respect to cybersecurity. Representing the National Cybersecurity and Communications Integration Center (NCCIC), Project Manager Omar Cruz gave Security Week's ICS Cyber Security Conference an overview of AIS, its benefits, and the roadmap for the system's future.
Overcoming legal, regulatory, and other risks to information sharing
AIS was developed to provide a way of widely and rapidly sharing machine-readable cyber threat indicators at machine speed. It's worth noting that the legislation that made AIS possible, CISA, the Cybersecurity Information Sharing Act of 2015, was principally concerned with removing legal and business obstacles to industry participation in such a system. CISA established the privacy and liability protections industry needed to before the private sector would be willing to join AIS.
The system is designed to protect privacy. It removes any personal information not required to understand a given cyber threat, and it uses automated and manual reviews to accomplish this. Organizations sharing information with AIS also enjoy a degree of immunity to liability for information they share in accordance with CISA.
Volume and velocity
AIS, Cruz explained, it's about "volume and velocity." Participants receive threat indicators that inform both preparation and reaction. Their own sharing (AIS is a two-way system) contributes to herd immunity. Now that AIS is up and running on a solid basis, the NCCIC is working to increase industry participation. It's prepared to help interested organizations work through any technical, resource, and cultural challenges that might inhibit them from joining the system. The experience of WannaCry ransomware produced what Cruz called a "paradigm shift" in the direction of valuing speed.
AIS makes full use of STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) to share threat indicators.
Cruz outlined five coming near-term improvements to AIS:
- A move to STIX 2.1 and TAXII 2.x in 2018.
- Integration of MISP (Malware Information Sharing Program), the European system developed by CIRCL (Computer Incident Response Center Luxembourg) with STIX and TAXII.
- Introduction of auto-immunity and quarantine capabilities.
- Introduction of the ability to receive automated feedback from participants.
- Further enrichment of indicators.
Data enrichment will include contextual information that can indicate to the customer why NCCIC rates the information it shares as it does. Under AIS, DHS will be able to provide, not formal attribution precisely, but rather an association of indicators that approaches attribution. Cruz concluded that AIS 2.0 was on schedule, and he invited industry comment and feedback.