Real-Time Indicator Feeds
The real-time cyber threat intelligence indicator feeds from CIS are easy to implement and available for free to U.S. State, Local, Tribal, and Territorial entities (SLTTs). Thanks to industry-standard formatting, the feeds are easy to ingest into most modern security and analysis tools. The service helps automate defensive actions, correlate events, conduct analysis, and make better, faster, more impactful decisions.
The best intelligence doesn’t just identify potential threats, it helps predict them. The Cyber Threat Intelligence (CTI) team combines specialized expertise in intelligence gathering and technical analysis with one of the largest data streams in the country to provide high value, actionable intelligence for our members. We help our members shift to predicting the next threat before it happens, instead of waiting to identify when they’ve already become a victim.
Applications of the Feeds
Automated defensive actions, such as blocking associated traffic using firewalls and other perimeter devices, is one use of the feeds. Other members may wish to correlate activity in analytic environments or conduct their own analysis for incident response.
In most cases, organizations don’t need any additional equipment to use this capability. Examples of cybersecurity tools that can ingest our feeds include:
- Intrusion Detection or Prevention Systems (IDS/IPS)
- Security Incident and Event Management (SIEM) platforms
- Security Orchestration and Automated Response (SOAR) tools
- Endpoint Detection and Response (EDR) agents
- Threat Intelligence Platforms (TIP)
- Trusted Automated eXchange of Intelligence Information (TAXII) platforms and other databases
Intelligence Sources and Indicators
We ingest threat data from more than 200 sources, including dozens unique to us and our Federal partners, and carefully distill it down to the highest impact indicators for our members. Intelligence sharing can be bi-directional with this service. While we’ll always share information with all of our members, any members who are able can also share intelligence with us to benefit the broader community.
The MS-ISAC feeds contain the following types of indicators:
- IPs (both v4 and v6)
- Full URLs (references to specific web resources)
- Email addresses
- File hashes
- Unique HTTP requests
As the data set grows and the feeds evolve, additional context surrounding these indicators will also be shared. This includes information such as registration information, relationships between indicators, associated threat groups, and more.
Standard Feed Formats
The feeds are available in standard formats to enable most members to ingest directly into their security devices.
Structured Threat Intelligence eXpression (STIX)
STIX is a free and open source language and serialization format used to exchange CTI. CIS maintains multiple collections that allow members to choose the kind of information that makes sense to ingest:
- MS-ISAC Collection – this collection contains indicators derived from MS-ISAC resources only.
- AIS Collection – this collection contains indicators derived from the CISA Automated Indicator Sharing (AIS) community and Cyber Information Sharing and Collaboration Program (CISCP) community sources only.
- Curated Feeds Collection – this collection contains indicators derived from all sources available to the CIS CTI team.
Trusted Automated eXchange of Intelligence Information (TAXII)
TAXII is an application protocol specifically designed for transmitting STIX data. Members do not need to maintain their own TAXII infrastructure; local security devices only need to accept a STIX feed from our TAXII server.
Malware Information Sharing Platform (MISP)
MISP is a free and open source software developed and maintained by the Computer Incident Response Center of Luxembourg (CIRCL) designed to facilitate information sharing of threat intelligence including, but not limited to, CTI.
The CIS MISP instance does not yet include all of the same information that is available in the STIX/TAXII feed, but we’re working on it! Stay tuned for more.
U.S. SLTTs can get connected by emailing our team at firstname.lastname@example.org.
To connect to the STIX/TAXII feed, you will be asked to provide the following information:
- Your contact information (individual or team) including primary contact name and email address
- Your SLTT organizational affiliation
- Public IP addresses or CIDR netblocks from which your organization will connect to the feed
- The subscribing device type (model and version)
- The STIX version(s) your device supports
If you are seeking to connect to our MISP collection, please specify upon contacting us as that is a separate process and different information will be required.