CISA Artificial Intelligence Use Cases

Automated Indicator Sharing (AIS), a CISA capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect against and ultimately reduce the prevalence of cyber incidents. AIS is offered as part of CISA’s broad authority to share information relating to cybersecurity risks, including authority to receive, analyze, and disseminate information, and fulfills CISA’s obligation under the Cybersecurity Information Sharing Act of 2015 to establish and operate the federal government’s capability and process for receiving cyber threat indicators and defensive measures, and to further share this information with certain other agencies, in some cases in a real-time manner. For more information, please visit: https://www.cisa.gov/ais.

AIS Automated Scoring & Feedback (AS&F), built on the AIS Scoring Framework, defines an algorithm by which organizations can enrich Structured Threat Information Expression Indicator objects, shared via AIS, with (1) an opinion value that provides an assessment of whether or not the information can be corroborated with other sources available to the entity submitting the opinion and (2) a confidence score that states the submitter’s confidence in the correctness of information they submit into AIS. When leveraged by CISA, AS&F uses artificial intelligence / machine learning to perform descriptive analytics from organizational-centric intelligence to support confidence and opinion classification of indicators of compromise. Together, these enrichments can help those receiving information from AIS prioritize actioning and investigating Indicator objects.

AI techniques used: Descriptive Analysis, Machine Learning, Natural Language processing (NLP)
Stage of System Development Life Cycle: Operation and Maintenance

CISA's Automated Personally Identifiable Information (PII) Detection and Human Review Process incorporates descriptive, predictive, and prescriptive analytics. Automated PII Detection leverages natural language processing tasks including named entity recognition coupled with Privacy guidance thresholds to automatically detect potential PII from within Automated Indicator Sharing submissions. If submissions are flagged for possible PII, the submission will be queued for human review where the analysts will be provided with the submission and artificial intelligence-assisted guidance to the specific PII concerns. Within human review, analysts can confirm/deny proper identification of PII and redact the information (if needed). Privacy experts are also able to review the actions of the system and analysts to ensure proper performance of the entire process along with providing feedback to the system and analysts for process improvements (if needed). The system learns from feedback from the analysts and Privacy experts.

Through the incorporation of the automated PII detection, CISA complies with Privacy, Civil Rights and Civil Liberties requirements of CISA 2015 and scaled analyst review of submissions by removing false positives and providing guidance to submission to be reviewed. Through continual audits CISA will maintain integrity and trust in system and human processes. For more information, please visit: https://www.cisa.gov/ais.

AI techniques used: Natural Language processing (NLP)
Stage of System Development Life Cycle: Operation and Maintenance

CISA deploys forensic specialists to analyze cyber events at Federal Civilian Executive Branch (FCEB) departments and agencies, as well as other State, Local, Tribal, Territorial, and Critical Infrastructure partners. Forensic analysts can utilize advanced analytic tooling, in the form of Artificial Intelligence implementations to better understand anomalies and potential threats. This tooling allows forensic specialists the capabilities to comb through data in an automated fashion with mathematically and probabilistically based models to ensure high fidelity anomalies are detected in a timely manner.

AI techniques used: Machine Learning
Stage of System Development Life Cycle: Initiation

Threat hunting and Security Operations Center (SOC) analysts are provided terabytes per day of data from the National Cybersecurity Protection System's (NCPS) Einstein sensors. Manually developed detection alerts and automatic correlation via off the shelf tooling are common, but not comprehensive. Many network attacks can be probabilistically determined given sufficient training data and time. Analysts use automated tooling to further refine the alerts they receive and produce additional automated alerts based on aggregated information and backed in subject matter expertise. This tooling allows CISA analysts the capabilities to comb through data in an automated fashion with mathematically and probabilistically based models to ensure high fidelity anomalies are detected in a timely manner.

AI techniques used: Machine Learning
Stage of System Development Life Cycle: Initiation

Frameworks, processes, and testing tools developed to govern the acquisition, development, deployment, and maintenance of AI technologies. Technology integrators within CISA as well as the rest of the federal enterprise use AI-enhanced tools to assure the trustworthy, robust, and secure operation of their AI systems. These tools use Machine Learning and Natural Language Processing to enhance the assessment of AI technology within the agency by speeding up data processing.

AI techniques used: Machine Learning, Natural Language Processing (NLP)
Stage of System Development Life Cycle: Initiation

The Cyber Sentry program provides monitoring of critical infrastructure networks. Within the program, threat hunting analysts require advanced anomaly detection and machine learning capabilities to examine multimodal cyber-physical data on IT and OT networks, including ICS/SCADA. The Critical Infrastructure Anomaly Alerting model provides AI-assistance in processing this information.

AI techniques used: Machine Learning, Visualization
Stage of System Development Life Cycle: Initiation

Cyber Threat Intelligence Feed Correlation uses AI enabled capabilities to provide accelerated correlation across multiple incoming information feeds. This enables more timely enrichment to improve the externally shared information feeds. AI allows the algorithm to use the information items and results to learn most efficient ways to perform the task. Additionally, tailored algorithms could be created to provided sustained surveillance of threat actor TTPs.

AI techniques used: Machine Learning, Natural Language Processing (NLP)
Stage of System Development Life Cycle: Initiation

Cyber Threat Intelligence Feed Correlation uses AI enabled capabilities to provide accelerated correlation across multiple incoming information feeds. This enables more timely enrichment to improve the externally shared information feeds. AI allows the algorithm to use the information items and results to learn most efficient ways to perform the task. Additionally, tailored algorithms could be created to provided sustained surveillance of threat actor TTPs.

AI techniques used: Machine Learning, Natural Language Processing (NLP)
Stage of System Development Life Cycle: Initiation

Vulnerability analysts require advanced automation tools to process data received through various  vulnerability reporting channels, as well as aggregate the information for automated sharing. These tools leverage Machine Learning and Natural Language Processing to increase the accuracy and relevance of data that is filtered and presented to human analysts and decision-makers. Machine Learning techniques also assist to aggregate the information in reports for presentation and further analysis. This includes data in the KEV and CVE databases.

AI techniques used: Natural Language Processing (NLP), Visualization
Stage of System Development Life Cycle: Initiation

Reverse engineering of malware, and software analysis more broadly, will continue to be a critical activity in support of CISA’s cyber defense mission. Threat Focused Reverse Engineering (TFRE) leverages advanced engineering, formal methods, and deep learning techniques for better cyber threat intelligence. Without scalable, automated tools, it is difficult to disrupt sophisticated adversaries’ malware development lifecycle. New, unique, automated techniques are needed to better target adversaries, augment analysts, and create sophisticated tools for end users. Core tools disrupt the adversary’s development lifecycle by exposing tactics, techniques, and procedures (TTPs). Analysts could spend more time and energy to hunt/takedown threats; adversaries can spend less time operating malware and must commit more resources to reorient. TFRE consists of a broader development pipeline providing tool hardening, enhanced computational abilities, understanding of deployment environments, and other important capabilities.

AI techniques used: Machine Learning
Stage of System Development Life Cycle: Initiation

Duty officers and analysts in CISA's Operations Center use a dashboard powered by artificial intelligence to enable sensemaking of ongoing operational activities. Artificial intelligence uses new near-real-time event data (from open source reporting, partner reporting, CISA regional staff, and cybersecurity sensors) coupled with historical cybersecurity and infrastructure security information and previous operational response activity to recommend courses-of-action and engagement strategies with other government entities and critical infrastructure owners and operators based on potential impacts to the National Critical Functions.

AI techniques used: Machine Learning, Natural Language Processing (NLP), Visualization
Stage of System Development Life Cycle: Initiation

Threat hunting and Security Operations Center (SOC) analysts are provided terabytes per day of log data. Manually developed detection alerts and automatic correlation in Security Information and Event Management tool are common, but not comprehensive. Many cyber attacks can be probabilistically determined given sufficient training data and time. Analysts  use automated tooling to further refine the alerts they receive and produce additional automated alerts based on aggregated information and curated subject matter expertise. This tooling allows CISA analysts the capabilities to comb through data in an automated fashion with mathematically and probabilistically based models to ensure high fidelity anomalies are detected in a timely manner.

AI techniques used: Machine Learning
Stage of System Development Life Cycle: Initiation