Automated Indicator Sharing with Intel Exchange
Cyware's Intel Exchange is part of the group of commercial providers recognized by the U.S. Department of Homeland Security (DHS) for enabling access to its Automated Indicator Sharing (AIS) threat intelligence feed.
Analysts can use Intel Exchange to:
Ingest the AIS feed into the Intel Exchange threat intelligence lifecycle,
Share threat intelligence from Intel Exchange with the DHS.
The bidirectional threat intelligence sharing with the DHS enables private and public organizations to collaborate and helps them understand important aspects of the threat intel life cycle.
Use the following steps to configure bidirectional threat intel sharing with Intel Exchange:
Before you Start
Ensure you meet the following preconditions before you start configuring an AIS source and submit intel:
You must have the Discovery Service URL and authentication details of the AIS source.
Your user group in Intel Exchange must have permission to create STIX sources, view threat data, and submit detailed intel.
Configure an AIS STIX 2.1 Source in Intel Exchange
Create an AIS STIX source in Intel Exchange so that you can publish threat intel from Intel Exchange to the AIS STIX source. To create a STIX source, see Configure STIX Sources.
Create AIS Consent Labels as Tags in Intel Exchange
AIS Consent labels control how information about identity objects is shared with federal or non-federal identities. Add the following AIS Consent labels as tags in Intel Exchange to include them in your STIX submissions. See Create a Tag and create the following tags in Intel Exchange.
ais-consent-none: Your identity is not disclosed, except as permitted in the AIS terms of use. This is the default and most restrictive AIS consent label.
ais-consent-usg: Your identity is shared only with federal entities.
ais-consent-everyone-cisa-proprietary: Your identity is shared with all AIS participants and federal entities. All objects in your submission that reference the Identity SDO are considered proprietary.
ais-consent-everyone: Your identity is shared with all AIS participants and federal entities.
Submit Detailed Intel Using AIS Guidelines
The AIS defines a few guidelines on creating STIX submissions for its participants to submit the threat data. Submissions are rejected if the guidelines are not followed.
Understand the AIS guidelines to create and publish STIX submissions using Detailed Submission in Intel Exchange. For more information on detailed submission in Intel Exchange, see Submit Detailed Intel.
Include an identity object in your STIX submissions that represents the entity or organization that is making this submission. This object is called Producer Identity SDO.
Select Identity in STIX Component and configure the following details for the identity object.
CTIX Path
Description
STIX Component > Identity > Basic Details > Name
Name of this STIX Identity Object from which is creating the intel and submitting to AIS.
STIX Component > Identity > Basic Details > Identity Class
The class that this STIX Identity Object belongs to such as an individual, or an organization.
STIX Component > Identity > Basic Details > Sector
The industry sector that this identity object belongs to such as the energy sector, chemical sector, and so on. See Sector Mapping between AIS and STIX.
STIX Component > Identity > Common Fields > Tags
Include a tag and specify an AIS Consent Label to the Identity object. You can include the AIS Consent Labels that you added as Tags in the CTIX application. If you do not include an AIS consent label tag, your submission will default to the most restrictive AIS Consent Label ais-consent-none.
Add a location SDO in your submission to provide location details for the Producer Identity SDO. Use the following guidelines to configure details for the location SDO.
Intel Exchange Path
Description
STIX Component > Location > Basic Details > Country
Choose a country code. The country codes displayed follow (ISO) 3166-1 ALPHA-2 code standard.
STIX Component > Location > Basic Details > Administrative Area
Enter a state, province, or other sub-national administrative area associated with the submitter using the ISO 3166-2 format.
Relations > Relationships > Select Primary Object > Object Type
Choose the object type as Identity Object
Relations > Relationships > Select Primary Object > Object Title
Choose the Producer Identity SDO
Relations > Relationships > Select Secondary Object > Object Type
Choose the object type as Location Object
Relations > Relationships > Select Secondary Object > Object Title
Choose the Location SDO that describes the location details for the Producer Identity SDO.
Relations > Relationships > Relation Type
Select related-to
You must include TLP for every SDO or SRO submission to non-federal entities. If you do not include a TLP, the TLP will default to Green.
CTIX Path
Description
STIX Submission > Common Fields > TLP
Select an appropriate TLP value for the objects included in your submission.
Include the Producer Identity SDO as a reference object for every SDO or SRO object in your submission.
CTIX Path
Description
STIX Component > Common Fields > Created by Reference
Created by Reference indicates the entity that created this object.
Include the STIX Identity SDO here.
Enter all data in the submission in English unless the threat intel itself is in a foreign language.
Enter the TLP as White or Green, so that the threat intel can be shared with a wider audience.
Do not submit any proprietary information as TLP White as it can be shared publicly.
Do not submit any Personally Identifiable Information (PII) in your submissions. You can consider including some PII in your submissions only if it is directly related to threat intel.
Configure Intel Exchange as AIS Subscriber
If the collections configured in Intel Exchange are enabled for inboxing functionality, then AIS-affiliated vendors can inbox the threat intel to these collections. You can then view the threat data in Intel Exchange. For more information on creating STIX collections in Intel Exchange and enabling inbox, see Create STIX Collections.
Sector Mapping between AIS and STIX
The sectors that are defined in the detailed form in Intel Exchange are classified as per STIX vocabulary. STIX vocabulary maps to the Presidential Policy Directive (PPD) used in AIS submissions are as follows.
PPD 21 | STIX |
|---|---|
Food and Agriculture Sector | Agriculture |
Chemical Sector | chemical |
Commercial Facilities Sector | commercial, entertainment, hospitality-leisure, retail |
Communications Sector | communications, telecommunications |
Critical Manufacturing Sector | manufacturing |
Defense Industrial Base Sector | defense |
Energy Sector | energy, mining |
Financial Services Sector | financial-services, insurance |
Emergency Services Sector | emergency-services |
Government Facilities Sector | education, government-local, government-national, government-public-services, government-regional |
Healthcare and Public Health Sector | healthcare, pharmaceuticals |
Dams Sector | dams |
Nuclear Reactors, Materials, and Waste Sector | nuclear |
Water and Wastewater Systems Sector | government-public-services, water |
Information Technology Sector | technology, telecommunications |
Transportation Systems Sector | aerospace, automotive, transportation |
Other | non-profit |