DHS Automated Information Sharing (AIS) Program

Transcription

1 DHS Automated Information Sharing (AIS) Program 2018 Infoblox Inc. All rights reserved. Page 1 of Infoblox Inc. All rights reserved.

2 DHS Automated Information Sharing (AIS) Program Infoblox AIS Program Overview and Deployment Guide Introduction This document provides an overview of the DHS Automated Indicator Sharing (AIS) Program Threat Indicator Feeds and preliminary steps on how to deploy and utilize this data in the protection of your network. As this program evolves, Infoblox will enhance our applicable customer offerings in a continuous effort to deliver timely, accurate, and comprehensive threat intelligence in ways that customers can efficiently consume. AIS AIS: A Cybersecurity Block Watch As stated on the DHS website, The Department of Homeland Security s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing (although they can also be much more complicated). AIS is a part of the Department s effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator will be shared in real time with all our partners, protecting them from that threat. That means adversaries can only use an attack once, which increases their costs and ultimately reduces the prevalence of cyber attacks. While AIS won t eliminate sophisticated cyber threats, it will allow companies and federal agencies to concentrate more on them by clearing away less sophisticated attacks. Ultimately, the goal is to commoditize cyber threat indicators through AIS so that tactical indicators are shared broadly among the public and private sector, enabling everyone to be better protected against cyber attacks Infoblox Inc. All rights reserved. Page 2 of 5

3 Infoblox s Role as a Commercial Capability for AIS Infoblox s Role as a Commercial Capability for AIS Infoblox supports leveraging collective threat intelligence to broaden our customers viewpoints into the external threat space. In many cases, indicators that start out as suspicious broken infrastructure from one organization s perspective quickly become threat attack components for another organization. As the market leader in core network services, and by actively participating in and enhancing programs like AIS, Infoblox can function as an effective distribution mechanism where our customers can realize the outsized impact of Threat Intelligence Exchange Programs like AIS. Utilize AIS Data Today with Infoblox ActiveTrust Utilize AIS Data Today with Infoblox ActiveTrust As a qualified commercial capability provider, Infoblox has completed the technical and operational integrations necessary to distribute AIS threat data to our private sector customers. In addition, we have completed the terms of use and interconnectivity agreements on behalf of our customers who wish to deploy this data in their network protection mechanisms immediately. No additional agreements are required. Infoblox presents the AIS Threat Indicators in a variety of ways within our ActiveTrust Solutions: Threat Intelligence Data Exchange (TIDE): o For bulk download use cases, customers can pull the historical and updated AIS indicator sets both manually and via the TIDE API in a variety of formats. o For correlation use cases, customers can search the AIS data set for evidence of specific hostnames or IP addresses. Dossier: o For customers who have access to AIS Commercial threat indicators, Dossier will be automatically enabled and search against this data set. For those AIS indicators where additional context is needed, Dossier query results offer a broad set of information for better threat response and triage. RPZ Feeds: 2018 Infoblox Inc. All rights reserved. Page 3 of 5

4 o o Infoblox offers curated sets of threat indicators for native inclusion in Infoblox DNS Firewall implementations. This allows you to leverage your DNS Resolver as the AIS integration engine, then block or alert on outbound traffic that intersects with the most recent AIS Threat Data. AIS in TIDE AIS in TIDE Once you have authorized Infoblox to activate your access to the AIS Indicator Feeds, log into the TIDE platform. Once logged in, you can access the AISCOMM data source under your data attributes menu, and refine your search query as necessary. Within TIDE you can access AIS data via our API using the Interactive API Guide, with the source profile set to AISCOMM, and generate the outputs in a variety of formats, including CSV, JSON, and CEF. AIS: How to Engage AIS: How to Engage We encourage all commercial customers of Infoblox to engage the AIS Program data. This guide will lay out the general steps to deploy the AIS Threat Indicators for network protection in your Enterprise. AIS Data in Dossier AIS Data in Dossier Within Dossier you can access AIS data via simple searches on specific data types such as IPs and Hostnames. Dossier provides additional context from other sources on known AIS indicators and can provide useful context for response action when you have an RPZ hit on an indicator sourced from AIS Infoblox Inc. All rights reserved. Page 4 of 5

5 FAQs FAQs Is there an additional cost for the AIS data? No. Both as part of our agreement with DHS and as part of our strategy to enable crowdsourced threat intelligence within our customer base, there is no additional cost associated with this data. How are the AIS indicators originated? Generally, the AIS data set originates from two efforts. First, DHS itself contributes threat data from NCCIC Policy watch lists and from methods within the US Federal space that discover new indicators of compromise. The second pathway is from DHS AIS program members themselves a growing list of organizations in a variety of sectors. These organizations contribute back suspect or malicious indicators to the AIS data store, to enhance collective threat intelligence Infoblox Inc. All rights reserved. Page 5 of 5