Information Sharing under IACD

Here, we provide key topics involved in the process of information sharing to support adoption and employment of the IACD framework.

 
 

Automated indicator sharing (AIS)

AIS logo.png

The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the federal government and the private sector at machine speed. Threat indicators are pieces of information such as malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated). AIS is a part of DHS’s effort to create an ecosystem that would allow a company or federal agency to share an indicator in real time with all of our partners as soon as it has observed an attempted compromise, protecting the partners from that particular threat. That means adversaries can only use an attack once, which increases their costs and ultimately reduces the prevalence of cyber attacks. Although AIS won’t eliminate sophisticated cyber threats, it will allow companies and federal agencies to concentrate more on them by clearing away less sophisticated attacks. Ultimately, the goal is to commoditize cyber threat indicators through AIS so that tactical indicators are shared broadly among the public and private sector, enabling everyone to be better protected against cyber attacks.

AIS Fact Sheet

AIS Fact Sheet

JHU/APL is working with DHS and the participant community to encourage bidirectional sharing through the use of AIS while making the shared indicators more operationally useful. This work includes tackling complex technical problems such as enhancing trust in the indicators shared and addressing the issues of duplication and relevancy. Additionally, APL is relating the potential for automation to the sharing of cybersecurity threat data through the collaboration between IACD and AIS.

For more information, visit the DHS AIS website.

Shareable Workflows

IACD believes sharing of actions to take against threats is equally important to threat intelligence and therefore should be shared. This video provides a proof of concept for how organizations can share and receive reference workflows, tailor them to an organization's business rules and risk posture, and then automatically translate them to SOAR platforms for orchestration. These shareable workflows build upon the Business Process Modeling Notation (BPMN) standard by the Object Management Group.

Technical Demonstration of how to share reference workflows in BPMN amongst organizations so that they may be tailored and then imported into a SOAR platform. Integrated Adaptive Cyber Defense (IACD) defines a strategy and framework to adopt an extensible, adaptive, COTS-based approach.

 

Autoimmunity

IACD Autoimmunity

IACD Autoimmunity

IACD Autoimmunity is the capability to recognize, respond to, and review Cyber Threat Information (CTI) submitted to the information broker that would harm the integrity of the feed to recipients. This white paper provides key guidelines for IACD Autoimmunity.

Updated by IACD on 2018-06-22.

Trends in Technology: Threat Intelligence Platforms

Threat Intelligence Platforms or TIPs, ingest, correlate, and share threat information for multiple purposes including: threat analysis, risk prioritization, and incident detection activities. TIPs enable rapid information aggregation and sharing, assisting analysts by bringing large collections of data together to form a more comprehensive illustration of the dataset. TIPs also facilitate sharing within the platform and beyond to benefit the entire cybersecurity community. This handout provides you with a quick analysis of some of the common characteristics and operationally critical features of this rapidly maturing technology. Whether you’re interested in purchasing TIPs products or just trying to keep up with the latest trends in technology, take a few minutes to see what many of them can offer.

Trends in Technology: Threat Intelligence Platforms

Trends in Technology: Threat Intelligence Platforms

The Value in Sharing Threat Intelligence Confidence

Machine speed sharing of threat intelligence and IOCs is helpful for defense but the context for that intelligence is often lost, making it near impossible to translate the information to actions. By having a standardized definition of confidence as to whether or not an IOC is actively malicious that can be reviewed by the community, we can gain insight into response and improve our overall ability to take action.

Automating Network Connectivity Based On Shared Threat Intelligence Reports

When a site your organization needs to access gets hacked, how long do you block it? We can use a common definition of confidence for cyber threat intelligence IOCs to know when sites we need may be safe again. See the video below.

Updated by IACD on August 3 2020.


Low-Regret Methodology for evaluating cyber threat intelligence to enable network defense

There are many sources of cyber threat intelligence available to network defenders today. However, these feeds often result in very little tactical utility for network defense because of poor data quality, and limited ability to rapidly screen information to identify the pertinent pieces of information and what to do with it. In this paper, IACD provides the methodology utilized in our recent SLTT Pilot to process Indicators of Compromise with automation to enable significant improvement for network defense.