Automated Indicator Sharing


Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect participants of the AIS community and ultimately reduce the prevalence of cyberattacks.  The AIS community includes private sector entities; federal departments and agencies; state, local, tribal, and territorial (SLTT) governments; information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs); and foreign partners and companies. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.

The AIS ecosystem empowers participants to share cyber threat indicators and defensive measures, such as information about attempted adversary compromises as they are being observed, to help protect other participants of the AIS community and ultimately limit the adversary’s use of an attack method. The more you share, the more everyone becomes informed, and the more we all prevent further damage from vicious cyber-attacks together!

Alerts & StatementsCybersecurity Information Sharing Act of 2015 Procedures and Guidance
Policies and procedures relating to the receipt and use of cyber threat indicators by federal entities, guidelines relating to privacy and civil liberties in connection with the exchange of those indicators, and guidance to federal agencies on sharing information in the government's possession.

How AIS Works

AIS uses open standards: the Structured Threat Information Expression (STIX™) for cyber threat indicators and defensive measures information and the Trusted Automated Exchange of Indicator Information (TAXII™) for machine-to-machine communications. Using standards allows threat activity context such as tactics, techniques, and procedures, vulnerabilities, and courses of action to be shared through a communications protocol to and from participants.  

AIS uses a server/client architecture for communications. AIS participants connect to AIS with a STIX/TAXII client (which can be built or bought from commercial vendors) to exchange cyber threat indicators and defensive measures with CISA and, in turn, other AIS participants via the AIS TAXII Server. CISA respects organizational privacy; AIS anonymizes submissions by default when transmitting them, meaning that the identity of the submitter is not revealed without the prior express consent of the submitter.

In the future, CISA intends to provide additional AIS features to allow participants to identify the most operationally relevant indicators. As CISA receives participant feedback, it will continue to perform updates to make AIS as useful and relevant to the community as possible. Please send any feedback to cyberservices@cisa.dhs.gov.

The Cybersecurity Information Sharing Act of 2015

CISA is the designated hub for the sharing of cyber threat indicators and defensive measures between the federal government and private sector pursuant to the Cybersecurity Information Sharing Act of 2015 (CISA 2015).  This law grants liability protection, privacy protections, and other protections to organizations that share cyber threat indicators and defensive measures through AIS in accordance with the Act’s requirements. As mandated by CISA 2015, DHS certified the operation of AIS in March 2016 and released guidance, in conjunction with the Department of Justice, to help private sector entities share cyber threat indicators with the Federal Government.  This guidance, as well as other guidance published pursuant to the Act, can be found on the Cybersecurity Information Sharing Act of 2015 Procedures and Guidance Documentation Page and can also be found with the rest of the AIS documents on the AIS Documentation Page.

 

Participant Protections

AIS offers anonymity, as well as liability and privacy protections, to encourage the submission of cyber threat indicators and defensive measures.

CISA 2015 grants liability protection to organizations sharing and receiving cyber threat indicators and defensive measures, provided sharing is done in accordance with all the Act’s requirements. Liability protection applies to the following sharing arrangements, if the sharing is otherwise conducted in accordance with the Act:

  • Non-federal entities (private sector entities, SLTT governments, international partners, ISACs/ISAOs) sharing with other non-federal organizations
  • Non-federal entities sharing with CISA and other federal agencies through AIS. *

    CISA has taken careful measures to ensure appropriate privacy and civil liberties protections are fully implemented in AIS and are regularly tested. CISA has published a Privacy Impact Assessment of AIS, which can be found on AIS Documentation Page.

    To ensure that personally identifiable information (PII) is protected, AIS has processes that:
  • Perform automated analyses and technical mitigations to delete PII that is not directly related to a cyber threat;
  • Incorporate elements of human review on select fields of certain indicators to ensure that automated processes are functioning appropriately;
  • Minimize the amount of data included in a cyber threat indicator to information that is directly related to a cyber threat;
  • Retain only information needed to address cyber threats; and
  • Ensure any information collected is used only for network defense or limited law enforcement purposes.

    All cyber threat indicators and defensive measures submitted through AIS by non-federal entities afforded the additional protections when the sharing is done in accordance with all requirements of CISA 2015, including:
  • Exemption from anti-trust laws;
  • Exemption from federal, state, tribal, and local disclosure laws;
  • Exemption from certain state and federal regulatory uses;
  • No waiver of privilege for shared material;
  • Treated as commercial, financial, and proprietary information when so designated; and
  • Not subject to any executive branch rules or judicial doctrine regarding ex parte communications with a decision-making official.**

     * Federal organizations do not receive liability protection when sharing with one another, but some aspects of CISA 2015 apply (e.g., privacy requirements when sharing cyber threat indicators).
    ** For more information regarding the other protections under the Cybersecurity Information Sharing Act of 2015, see the Non-Federal Entity Sharing Guidance under the Cybersecurity Information Sharing Act of 2015 (updated October 2020).

How to Participate in AIS

AIS is a free service. To participate, please complete the following steps:

  1. Contact cyberservices@cisa.dhs.gov for engagement information and taxiiadmins@us-cert.gov for technical assistance during your onboarding.
  2. Agree to a brief Terms of Use for non-federal organizations or the Multilateral Information Sharing Agreement (MISA) for federal organizations.
  3. Acquire a STIX/TAXII capability: use an open source TAXII client, provided by DHS or others in the community (e.g., ISACs, ISAOs), or obtain access via a commercial solution.
  4. Get a PKI certificate from a Federal Bridge Certificate Authority (you may need to purchase if you do not have one already).
  5. Sign an Interconnection Agreement and provide your IP address to CISA.

To get started, please contact cyberservices@cisa.dhs.gov. A FAQ is also available on the AIS Documentation Page.

Other Ways to Connect: ISACs, ISAOs, Threat Providers

Instead of interacting directly with CISA, you can also share and receive AIS cyber threat indicators and defensive measures through a participating ISAC or ISAO or via an AIS-integrated commercial product or service. (Customers are only required to sign an AIS Terms of Use Agreement if they want to receive data designated with distribution limitation “TLP: Amber.” Visit the Traffic Light Protocol (TLP) page for further information.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Commercial providers offer AIS data to existing subscribers at no extra cost:

 

ISACS/ISAOs also offer AIS data to existing members via ISAC/ISAO provided automated data connections**:

**Other ISACS do receive AIS data but might not offer a member CTI feed connection and therefore do not distribute AIS data.

How to Share CTIs and DMs

CISA highly encourages AIS participants to share cyber threat indicators and defensive measures via the bidirectional AIS TAXII connection. Information on how to share cyber threat indicators and defensive measures via the bidirectional AIS TAXII connection is found in the AIS Submission Guidance document.

CISA will also conduct conference calls or webinars with companies that have questions about the on-boarding requirements or receiving, using, or sharing indicators and defensive measures. Engagement requests can be sent to cyberservices@cisa.dhs.gov.

Other opportunities to share cyber threat information with CISA, including cyber threat indicators and defensive measures potentially subject to the protections of CISA 2015 described above, include using the Share indicators and defensive measures submission form or other available reporting methods listed on the Report Cyber Issue page.

AIS 2.0 Documents for More Information

AIS Terms of Use (TOU) v3.0: The TOU give the basic rules and responsibilities for connecting to the TAXII Server as well as some basic terminology that is used in the program.

AIS Fact Sheet: AIS program overview document (2 pages).

CISA AIS TAXII Server Connection Guide v2.0: This TAXII Server Connection Guide guide v1.0 is to document the formal requirements needed to successfully connect to the Cybersecurity and Infrastructure Security Agency (CISA Automated Indicator Sharing (AIS) Trusted Automated Exchange of Intelligence Information (TAXII) server. In addition, common questions and best practices are also provided to help support customers in successfully connecting to the TAXII server and enable polling of AIS Structured Threat Information Expression (STIX) Cyber Threat Indicators (CTI) and Defensive Measures (DM) content.

The AIS Frequently Asked Questions (FAQ) V2.0: The FAQ provides a list of frequently asked questions and answers from stakeholders to assist new participants in understanding how Automated Indicator Sharing (AIS) is implemented.   

AIS Privacy Impact Assessment: Privacy Impact Assessment for the Automated Indicator Sharing (AIS) Program.

AIS Federal Multilateral Information Sharing Agreement (MISA): The purpose of this cross-government Multilateral Information Sharing Agreement (MISA), herein referred to as the “Agreement,” is to enhance cybersecurity information sharing among federal agencies in order to better protect the United States from malicious cyber actors in a manner that is fully consistent with the Constitution and laws of the United States, Executive Orders and other Executive Branch directives and policies, court orders, and all other legal, policy, and oversight requirements.

Cybersecurity Information Sharing Act of 2015: Cybersecurity Information Sharing Act of 2015 Original Act from the Government Printing Office.

AIS Interconnection Agreement: The Interconnect Agreement describes general responsibilities on both sides of the sharing relationship to ensure the Trusted Automated Exchange of Intelligence Information (TAXII) connectivity is properly secured and CISA knows who to contact regarding, e.g., maintenance windows or suspicious activity on the CISA-owned TAXII server.  Please complete this with Point of Contact information so we can engage with the right security staff on your team.

Non-Federal Entity Sharing Guidance under the Cybersecurity Information Sharing Act of 2015: Guidance to assist non-Federal entities to share Cyber Threat Indicators and Defensive Measures with Federal entities under the Cybersecurity Information Sharing Act of 2015

Federal Government Sharing Guidance under the Cybersecurity Information Sharing Act of 2015: Guidance to assist Federal entities to share Cyber Threat Indicators and Defensive Measures with Federal entities under the Cybersecurity Information Sharing Act of 2015

Privacy and Civil Liberties Guidelines under the Cybersecurity Information Sharing Act of 2015: Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015 

Final Operational Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government: Consistent with section 105(a)(2) and (3) of the Cybersecurity Information Sharing Act of 2015 (CISA), this document establishes procedures relating to the receipt of cyber threat indicators and defensive measures by all federal entities under CISA. It describes the processes for receiving, handling, and disseminating information that is shared with DHS pursuant to section 104(c) of CISA, including through operation of the DHS Automated Indicator Sharing capability under section 105(c) of CISA. It also states and interprets the statutory requirements for all federal entities that receive cyber threat indicators and defensive measures under CISA to share them with other appropriate federal entities.

AIS 2.0 Submission Guidance v1.0: The purpose of this document is to provide guidance for AIS participants when submitting CTIs and DMs in the Structured Threat Information Expression (STIX) format via the Trusted Automated Exchange of Intelligence Information (TAXII). The AIS 2.0 Submission guidance v1.0 can be utilized with the AIS 2.0 profile v1.0 document to help AIS participants understand all requirements for submissions to AIS. In addition, there are several sample files with STIX indicators provided below.

AIS 2.0 STIX Profile v1.0: The purpose of this document is to define the formal set of submission requirements for AIS Participants when submitting CTIs and DMs to AIS using the Structured Threat Information Expression (STIX) format via the Trusted Automated Exchange of Intelligence Information (TAXII).

AIS Brokering Between the Non-Federal Entities Sharing Community and the Federal Entities Sharing Community v2.0 – (For AIS federal customers) The AIS Brokering Document provides significant detail on the brokering functions provided by DHS, and provides additional guidance and examples specifically for federal entities to mark information with ACS markings they intend to share with the non-federal and federal entities via AIS.

Information Sharing Architecture (ISA) Access Control Specification (ACS) v3.0a June 2019 -  This Access Control Specification (ACS) document, the result of that collaboration, specifies the data elements required to implement automated access control systems based on the relevant policies governing sharing between participants.

Automated Indicator Sharing (AIS) Foreign Language Translation Process v 1.0: The AIS Foreign Language Translation Process is a process that translates non-English AIS submissions (objects and properties) into English to broaden the usability of the cyber threat intelligence by AIS participants.

Automated Indicator Sharing (AIS) Scoring Framework Used for Indicator Enrichment: CISA uses the AIS Scoring Framework to provide an opinion value for each Indicator object submitted to AIS, and will also use it when CISA provides a confidence score on CISA-published Indicator objects. Together, these enrichments can help those receiving information from AIS prioritize actioning and investigating Indicator objects. This document describes methodology to explain how CISA develops opinion values and confidence scores for individual Indicator objects when provided, and so other organizations can decide whether to use the same methodology in developing their own opinion values and confidence scores.

Automated Indicator Sharing (AIS) Identity Anonymization Process V1.0: The AIS Identity Anonymization Process is a process that anonymizes the identity of organizations submitting information to the Automated Indicator Sharing (AIS) program. This guide reviews how AIS anonymization process works.

AIS Status Service V1.0: The AIS Status Service enables users to check the processing status of their STIX submission as well as if there were any issues with their submission. In particular, the AIS Status Service reports on whether the objects in the submission passed validation against the AIS Profile and STIX 2.1 Specification and if the submission is undergoing human review for personally identifiable information (PII) such as an individual’s name, email, or social security number. This guide outlines how the AIS status service works.

Filtering AIS Content Based on Specified Criteria V1.0: Filters are a capability in the Trusted Automated Exchange of Intelligence Information (TAXII) specification that enable users to query and retrieve a subset of Structured Threat Information Expression (STIX) content from the entire set of STIX content on a TAXII server based on a set of parameters. Filters assist analysts in the triage process and allow them to extract a smaller subset of the overall AIS feed to prioritize the STIX objects that are most likely to be actionable in support of their organization’s network defense. This guide reviews how TAXII filtering works and includes example filters for common use cases.

Automated Indicator Sharing (AIS) 2.0 Public Facing Test Environment (PFTE): The PFTE is a pre-production instance of the Automated Indicator Sharing (AIS) 2.0 Trusted Automated Exchange of Intelligence Information (TAXII) server that hosts sample content and allows testing of many AIS 2.0 TAXII server capabilities before they are rolled out to production. This document identifies the various features and use-cases available to AIS participants before they decide to participate in the AIS production environment. CISA highly encourages that users utilize the PFTE before connecting to the AIS production environment.

STIX 2.1 Samples:

malware_example: STIX 2.1 sample identifying malware indicators and associated context.

sighting_example: STIX 2.1 sample containing a sighting of malware and associated context.

CISA FLARE TAXII Client for AIS 2.0: CISA-developed open-source TAXII graphical user interface client capable of polling and publishing to/from the AIS TAXII server. Software can be downloaded using the above link from GITHUB as a container file to provide AIS participants an easy method of installing a TAXII client (any container compatible platform such as Docker). Also available for download in non-container format. This client is compatible with both TAXII/STIX 1.1 and 2.1. Code Repository located on Github and linked above.

AIS 1.0 Documents for More Information

See the below for all available Automated Indicator Sharing (AIS) related documents:

AIS Terms of Use (TOU) v3.0: The TOU give the basic rules and responsibilities for connecting to the TAXII Server as well as some basic terminology that is used in the program.

AIS Fact Sheet: AIS program overview document (2 pages).

The AIS Frequently Asked Questions (FAQ): The FAQ provides a list of frequently asked questions and answers from stakeholders to assist new participants in understanding how Automated Indicator Sharing (AIS) is implemented.   

AIS Privacy Impact Assessment: Privacy Impact Assessment for the Automated Indicator Sharing (AIS) Program.

AIS Federal Multilateral Information Sharing Agreement (MISA): The purpose of this cross-government Multilateral Information Sharing Agreement (MISA), herein referred to as the “Agreement,” is to enhance cybersecurity information sharing among federal agencies in order to better protect the United States from malicious cyber actors in a manner that is fully consistent with the Constitution and laws of the United States, Executive Orders and other Executive Branch directives and policies, court orders, and all other legal, policy, and oversight requirements.

Cybersecurity Information Sharing Act of 2015: Cybersecurity Information Sharing Act of 2015 Original Act from the Government Printing Office.

AIS Interconnection Agreement - The Interconnect Agreement describes general responsibilities on both sides of the sharing relationship to ensure the Trusted Automated Exchange of Intelligence Information (TAXII) connectivity is properly secured and CISA knows who to contact regarding, e.g., maintenance windows or suspicious activity on the CISA-owned TAXII server.  Please complete this with Point of Contact information so we can engage with the right security staff on your team.

Non-Federal Entity Sharing Guidance under the Cybersecurity Information Sharing Act of 2015: Guidance to assist non-Federal entities to share Cyber Threat Indicators and Defensive Measures with Federal entities under the Cybersecurity Information Sharing Act of 2015

Federal Government Sharing Guidance under the Cybersecurity Information Sharing Act of 2015: Guidance to assist Federal entities to share Cyber Threat Indicators and Defensive Measures with Federal entities under the Cybersecurity Information Sharing Act of 2015

Privacy and Civil Liberties Guidelines under the Cybersecurity Information Sharing Act of 2015: Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015 

Final Operational Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government: Consistent with section 105(a)(2) and (3) of the Cybersecurity Information Sharing Act of 2015 (CISA), this document establishes procedures relating to the receipt of cyber threat indicators and defensive measures by all federal entities under CISA. It describes the processes for receiving, handling, and disseminating information that is shared with DHS pursuant to section 104(c) of CISA, including through operation of the DHS Automated Indicator Sharing capability under section 105(c) of CISA. It also states and interprets the statutory requirements for all federal entities that receive cyber threat indicators and defensive measures under CISA to share them with other appropriate federal entities.

AIS Submission Guidance: The Submission Guidance provides details for crafting cyber threat indicators in Structured Threat Information Expression (STIX) format, along with explanation of how to use Traffic Light Protocol (TLP). In Appendix A, all the STIX indicator fields from the AIS profile are included with information and examples for each. In addition, there are several examples of STIX indicators attached.

AIS Submission Guidance Appendix A (AIS STIX Profile): In Appendix A, all the STIX indicator fields from the AIS profile are included with information and examples for each. The fields present in this document are the only fields accepted as part of the AIS STIX profile. Other STIX fields not present in this document are disallowed by AIS.

AIS Brokering Between the Non-Federal Entities Sharing Community and the Federal Entities Sharing Community – (For AIS federal customers) The AIS Brokering Document provides significant detail on the brokering functions provided by DHS, and provides additional guidance and examples specifically for federal entities to mark information with ACS markings they intend to share with the non-federal and federal entities via AIS.

AIS ACS Marking Guidance – (For AIS federal customers) This document is intended for federal sharing community readers who have some familiarity with AIS, STIX, and xml and wish to create and mark STIX documents in xml for sharing with AIS.

Information Sharing Architecture (ISA) Access Control Specification (ACS) v3.0a June 2019 This Access Control Specification (ACS) document, the result of that collaboration, specifies the data elements required to implement automated access control systems based on the relevant policies governing sharing between participants.

CISA AIS TAXII Server Connection Guide v1.0 This TAXII Server Connection Guide guide v1.0 is to document the formal requirements needed to successfully connect to the Cybersecurity and Infrastructure Security Agency (CISA Automated Indicator Sharing (AIS) Trusted Automated Exchange of Intelligence Information (TAXII) server. In addition, common questions and best practices are also provided to help support customers in successfully connecting to the TAXII server and enable polling of AIS Structured Threat Information Expression (STIX) Cyber Threat Indicators (CTI) and Defensive Measures (DM) content.

 

Was this webpage helpful?  Yes  |  Somewhat  |  No