Revolutionizing CISA TIES with Hybrid AI Data Fabric

Introduction

The CISA Threat Intelligence Enterprise Services (TIES) platform represents the operationalization of a crucial research initiative—Integrated Adaptive Cyber Defense (IACD)—originally sponsored by CISA and NSA from 2015 to 2019 at Johns Hopkins University Applied Physics Laboratory (JHU-APL). This research aimed to improve security automation and orchestration, focusing primarily on standards like OpenC2, STIX, and TAXII for bottom-up security processes, such as automated responses to security events. I actively participated in the IACD community as a member of industry but my focus was on AI-Driven Integrated Adaptive Cyber Defense.

My original AI-Driven Integrated Adaptive Cyber Defense (AI-Driven IACD) approach took the IACD initiative a step further by emphasizing the importance of a top-down AI-driven framework. This approach proposed the integration of knowledge representation and reasoning (KR&R) techniques, such as OWL (Web Ontology Language) and RDF (Resource Description Framework), alongside analytics and machine learning capabilities. By structuring knowledge and automating workflows using AI, this model enables smarter, context-aware decision-making, making cybersecurity operations more adaptive and resilient.

The Hybrid AI Data Fabric is the 5 years later update of my original AI-Driven IACD framework from 2015-2019. Applied to the CISA TIES platform, it leverages KR&R, graph-based retrieval, and advanced AI workflows to enhance how threat intelligence is processed, shared, and acted upon. Unlike traditional bottom-up automation, the Hybrid AI Data Fabric integrates data from diverse sources into a knowledge graph that AI agents can query in real-time, making decisions based on the context and relationships between threat indicators, vulnerabilities, adversaries, and other critical cyber entities.

Overview of the Hybrid AI Data Fabric

The Hybrid AI Data Fabric is designed to unify data, information, and knowledge across disparate systems and sources into a cohesive, intelligent architecture. It builds on the key concepts from the AI-Driven IACD model and adapts them for the operational needs of CISA TIES.

At its core, the Hybrid AI Data Fabric consists of:

• Ontology-Driven Knowledge Representation and Reasoning (KR&R): Ontologies such as OWL and RDF knowledge graphs provide the foundation for understanding and structuring relationships between cyber entities like Indicators of Compromise (IoCs), Tactics, Techniques, and Procedures (TTPs), vulnerabilities, and adversaries. This structured knowledge enables AI agents to perform automated reasoning, hypothesis generation, and real-time decision-making.
• Graph-Based Retrieval-Augmented Generation (GraphRAG): AI agents retrieve relevant, contextually accurate data from the knowledge graph to inform decisions. By leveraging graph-based retrieval, agents ensure that threat intelligence and recommendations are grounded in real-time data and historical context, preventing "hallucinations" or irrelevant suggestions often associated with traditional AI models.
• Proactive Automation and Machine Learning: While KR&R provides the context and structured understanding, analytics and machine learning play a complementary role in detecting latent patterns and automating complex workflows. The Hybrid AI Data Fabric integrates predictive AI to recommend preemptive actions, proactively identifying vulnerabilities and threats before they can escalate.
• Federated Threat Intelligence Sharing and Data Integration: The Hybrid AI Data Fabric supports federated querying across distributed data sources, allowing threat intelligence to be shared securely across different sectors, while maintaining data sovereignty. This ensures that critical threat information can be accessed and acted upon without moving or duplicating data across multiple environments.

Establishing the Foundation for the CISA TIES Use Case

The Hybrid AI Data Fabric applied to CISA TIES brings together the insights and capabilities from the original AI-Driven IACD framework, but in a more scalable, operationalized form. By integrating both bottom-up automation (e.g., OpenC2 commands, STIX/TAXII threat intelligence sharing) and top-down AI-driven decision-making (enabled by KR&R and machine learning), CISA TIES becomes a platform that can respond to modern cyber threats with unprecedented agility and accuracy.

• Real-Time Decision-Making: AI agents within the Hybrid AI Data Fabric continuously ingest and process security events and external threat intelligence, generating adaptive playbooks based on the most relevant data. These playbooks guide security teams through both proactive and reactive responses, ensuring that decision-making is context-aware and grounded in fact.
• Proactive Threat Detection: The ability to proactively detect and mitigate potential threats is enhanced by the integration of machine learning models, which identify patterns and vulnerabilities in real-time, combined with symbolic AI reasoning to validate hypotheses and suggest actionable responses.
• Cross-Sector Collaboration: The Hybrid AI Data Fabric supports cross-sector collaboration by enabling secure, federated querying across multiple industries, allowing CISA TIES to distribute actionable intelligence without compromising the security or confidentiality of sector-specific data.

In this use case, the Hybrid AI Data Fabric represents a future-ready architecture that seamlessly merges the structured intelligence of ontologies with the adaptability of AI-driven automation. The CISA TIES platform, powered by this architecture, is positioned to handle the complexities of modern cybersecurity challenges with greater efficiency, precision, and scalability.

CISA TIES Hybrid AI Data Fabric Use Case

The CISA Threat Intelligence Enterprise Services (TIES) platform enhances cross-sector collaboration in cyber threat intelligence (CTI) sharing and analysis. With the introduction of the Hybrid AI Data Fabric, CISA TIES becomes a more intelligent, adaptive system capable of handling complex workflows, automating decision-making, and performing federated data integration. Ontologies are central to the system, allowing AI agents to operate with contextual understanding and fact-based reasoning. New ontologies can be added as needed to extend functionality for specific tasks or sectors.

Key Components of the Hybrid AI Data Fabric in CISA TIES

1. Presentation Layer: User interfaces for analysts to visualize threat intelligence, risk assessments, and actionable insights. The interface integrates out-of-the-box solutions, third-party tools, and custom dashboards.
2. AI Agents Layer: LLM-based AI agents perform automated, ontology-driven workflows within the knowledge graph. These agents interpret data in context and automate decision-making for tasks such as incident response, threat hunting, and cross-sector collaboration.
3. GraphRAG Layer (Graph-based Retrieval-Augmented Generation): Ensures that AI agents retrieve relevant, fact-checked data from the knowledge graph. This layer enhances AI outputs by ensuring that data retrieved is contextually appropriate for the specific workflow or task.
4. Analytics and Cognitive Layer: This layer supports symbolic AI reasoning, inference engines, and graph machine learning for advanced analysis, enabling predictive capabilities for threat detection, vulnerability management, and automated workflows.
5. Knowledge Graph Layer: The RDF-based knowledge graph stores structured CTI, where ontologies define the relationships between entities such as IoCs, TTPs, vulnerabilities, and assets. The knowledge graph allows AI agents to understand relationships and make context-aware decisions.
6. Integrated Federation/Provenance: This layer is responsible for data ingestion, normalization, federation, and mapping of distributed data from SIEMs, TIPs, EDR systems, and external CTI feeds. It integrates R2RML/RML mapping to transform source data into RDF/OWL formats, ensuring compatibility with the knowledge graph. The RDF 1.2 and RDF-star annotations ensure that data is auditable, provenance-tracked, and secure. SPARQL 1.2 enables federated querying across distributed datasets while maintaining data sovereignty and supporting fine-grained access control, so only authorized users access specific portions of the data.
7. Source Data Layer: This includes on-premises and cloud-based data sources, such as network traffic logs, endpoint detection data, and external CTI feeds. The data is ingested and normalized via the Integration/Federation Layer to ensure it is usable for real-time analysis.

Focused Use Cases in CISA TIES with the Hybrid AI Data Fabric

CTI-Driven Incident Response

The Hybrid AI Data Fabric enhances incident response in CISA TIES by automating workflows using ontology-driven AI agents. These AI agents generate and adapt incident response playbooks based on real-time threat intelligence, using structured data from the knowledge graph to ensure that responses are factually accurate and context-aware.

• Ontology-Driven Playbooks: AI agents create dynamic playbooks that are updated as new threat intelligence is ingested. These playbooks are grounded in the ontology-driven knowledge graph, ensuring that incident response actions are relevant and based on the most accurate data available.

Example: When a new vulnerability is detected in enterprise software, AI agents retrieve relevant historical exploits, TTPs, and mitigation strategies from the knowledge graph using GraphRAG. They automatically generate a playbook for response teams, instructing them to patch vulnerabilities, isolate compromised endpoints, and notify key stakeholders. As new intelligence is received, the playbook updates in real time.

Persistent Threat Hunting

In persistent threat hunting, AI agents use ontology-driven reasoning and graph analytics to correlate real-time threat intelligence with historical data. These automated workflows allow threat hunters to continuously refine their detection strategies based on the latest data.

• Graph-Based Threat Correlation: AI agents use the knowledge graph to correlate live IoCs with historical patterns of attacks. The GraphRAG layer ensures that AI agents retrieve only the most relevant data, allowing threat hunting to focus on real threats and mitigate false positives.

Example: During a nation-state-sponsored threat hunt, AI agents automatically correlate IoCs from live alerts with previous nation-state attack patterns. As new intelligence is ingested, the AI agents adjust their detection workflows, proactively recommending areas to investigate, such as related vulnerabilities or potentially compromised endpoints.

Predictive AI for Vulnerability Management

The Analytics and Cognitive Layer enables predictive vulnerability management, allowing AI agents to anticipate potential exploitations by analyzing patterns from past incidents combined with real-time CTI.

• Proactive Recommendations: AI agents use ontology-driven insights to predict zero-day vulnerabilities and recommend pre-emptive defenses. These predictions are based on patterns of previous vulnerabilities and known adversary tactics.

Example: When a new vulnerability is discovered in critical infrastructure, the AI agents predict likely attack vectors by correlating historical vulnerability exploitations with the new CTI. They recommend proactive defense measures, such as patching and system hardening, based on past exploit behaviors and anticipated attack scenarios.

Federated Threat Intelligence Sharing

The Integrated Federation/Provenance Layer allows for secure, federated querying of data across distributed data sources without the need to centralize the data. SPARQL 1.2 facilitates secure, role-based access to data while RDF-star annotations ensure data integrity and provenance tracking.

• Cross-Sector Intelligence Sharing: Using named graphs and fine-grained access control, different sectors (such as finance, energy, and healthcare) can access only the CTI relevant to them, ensuring that sensitive data from other sectors remains protected.

Example: During a widespread ransomware attack, AI agents in the energy sector query the knowledge graph for indicators and attack vectors related to energy infrastructure. Meanwhile, the finance sector accesses its own relevant threat intelligence, ensuring cross-sector collaboration while maintaining the confidentiality of each sector’s data.

AI-Driven Playbooks for Incident Management

AI agents in CISA TIES generate adaptive incident response playbooks that follow CACAO standards and dynamically update based on real-time threat intelligence. These playbooks ensure that cybersecurity teams are always responding with the latest, most relevant information.

• Real-Time Playbook Adaptation: AI agents automatically adjust playbooks as new intelligence flows in, ensuring that response teams always have access to the most current recommendations.

Example: During an active malware attack, AI agents generate a playbook outlining steps such as patching systems, isolating compromised endpoints, and communicating with affected teams. As the attack evolves and new CTI is received, the playbook dynamically updates to ensure that all response actions remain effective.

Proactive Threat Detection and Response

By using ontology-driven reasoning and graph-based machine learning, CISA TIES enables proactive threat detection, allowing AI agents to predict attack scenarios and recommend pre-emptive actions based on historical data and real-time cyber threat intelligence (CTI). This proactive approach mitigates threats before they fully develop, reducing the potential damage caused by cyberattacks.

• Ontology-Enriched Threat Correlation: AI agents leverage ontologies to correlate historical attack patterns with newly ingested CTI, allowing for context-aware predictions of potential attack vectors and the appropriate pre-emptive actions.
• Predictive Playbooks: The system can automatically generate predictive incident response playbooks that outline the steps needed to defend against anticipated attack vectors, ensuring that security teams are ready before the threat materializes.

Example: When a critical vulnerability is discovered in a healthcare IoT device, AI agents use the knowledge graph to analyze previous IoT exploits and predict likely attack scenarios. The AI agents then generate a pre-emptive playbook that includes recommendations for patching devices, monitoring network traffic, and deploying additional security controls to prevent exploitation.

Real-Time Cross-Sector Collaboration and Threat Intelligence Sharing

The Integrated Federation/Provenance Layer, with its support for SPARQL 1.2 and RDF-star, allows CISA TIES to seamlessly support real-time collaboration between different sectors while maintaining the integrity and confidentiality of sensitive data. Cross-sector collaboration is essential for sharing threat intelligence in critical incidents that affect multiple industries, such as ransomware attacks targeting both financial institutions and critical infrastructure.

• Federated Queries and Role-Based Access Control: The system supports federated queries across distributed data sources, allowing partners from different sectors (e.g., healthcare, finance, and energy) to access only the threat intelligence relevant to their sector. Role-based access control ensures that sensitive information remains protected while enabling the exchange of critical CTI.
• Secure, Real-Time Data Sharing: By using SPARQL 1.2 for federated queries, AI agents can access and share intelligence without moving or duplicating the underlying data. This ensures that data sovereignty is maintained across multiple stakeholders while still supporting real-time intelligence sharing.

Example: In response to a nation-state-sponsored cyber campaign targeting both the financial and energy sectors, AI agents in CISA TIES coordinate between sectors by sharing relevant indicators of compromise (IoCs). The financial sector’s AI agents receive intelligence on banking malware, while the energy sector’s agents focus on SCADA system vulnerabilities. Each sector receives sector-specific intelligence, enabling them to collaborate on mitigating the broader attack without compromising data security.

Enhanced Threat Intelligence with GraphRAG and Federated Data

The GraphRAG Layer enhances the ability of CISA TIES to deliver contextually relevant threat intelligence by leveraging graph-based retrieval augmented by ontologies. AI agents can access distributed data sources in real-time, ensuring that the retrieved intelligence is fact-checked and contextually appropriate for the tasks at hand.

• GraphRAG for Real-Time Intelligence: AI agents use GraphRAG to pull relevant information from the knowledge graph for incident response, persistent threat hunting, or proactive threat management. This ensures that decisions are made based on verified, real-time data.
• Ontology-Driven Contextual Understanding: Ontologies ensure that AI agents are not simply retrieving data in isolation but are understanding the relationships between CTI elements (e.g., how IoCs relate to vulnerabilities, TTPs, and adversary groups).

Example: During a threat-hunting operation, AI agents use GraphRAG to retrieve real-time IoCs, TTPs, and vulnerability data from multiple distributed sources. The agents correlate this data with historical attack patterns stored in the knowledge graph to provide contextually relevant recommendations for threat hunters to investigate.

The Role of Ontologies in CISA TIES’ Hybrid AI Data Fabric

Ontologies are the foundation of the Hybrid AI Data Fabric and enable AI agents to function with deep contextual awareness and precision. They provide the semantic framework for organizing, structuring, and relating data, enabling AI agents to:

• Enable automated reasoning and inference: Ontologies allow AI agents to reason over data, drawing connections between IoCs, threat actors, and vulnerabilities to suggest proactive defenses and adaptive response strategies.
• Structure data for reuse: Ontologies enable modular data structures that can be reused across various sectors, workflows, and tasks. This allows threat intelligence to be shared and applied consistently across different contexts.
• Support cross-sector collaboration: By ensuring that different organizations use a shared vocabulary and structure, ontologies enable seamless integration of CTI from various sectors, ensuring that threat intelligence is actionable across different industries.

Conclusion

By integrating the Hybrid AI Data Fabric, CISA TIES evolves into an intelligent, scalable platform that enables real-time CTI analysis, automated decision-making, and cross-sector collaboration. With ontology-driven AI agents, GraphRAG, and federated threat intelligence sharing, the system can:

• Automate complex cybersecurity workflows with real-time adaptability and precision, ensuring that response actions are contextually accurate.
• Proactively detect and respond to emerging threats by leveraging predictive AI and automated playbooks.
• Enable secure, cross-sector collaboration, ensuring that threat intelligence is shared efficiently while maintaining the integrity and security of sensitive data.

With ontologies at the core, CISA TIES can adapt to evolving cybersecurity challenges, ensuring that AI agents make decisions grounded in context, relevance, and accuracy. This architecture positions CISA TIES as a cutting-edge platform capable of defending against complex, coordinated cyber threats across industries. The Hybrid AI Data Fabric approach enhances the trustworthiness of AI in CISA TIES by integrating ontology-driven reasoning, secure data sharing, and predictive AI capabilities. This ensures that AI agents make decisions based on verified, real-time data and are contextually accurate, thereby improving the reliability and effectiveness of cybersecurity workflows.

The Hybrid AI Data Fabric is much more than just enabling AI agents—it builds on the foundational value of Knowledge Representation and Reasoning (KR&R) to ensure trustworthy AI. KR&R (using ontologies like OWL and RDF) provides the essential structure for organizing and contextualizing data, ensuring that any AI-driven process is based on a shared understanding of cyber entities (e.g., vulnerabilities, adversary TTPs, IoCs) and their relationships.

By embedding KR&R at the core of the architecture, the system guarantees that decisions are not only automated but also contextually accurate, explainable, and consistent across different use cases. AI agents then add an additional layer of intelligence, automating workflows and enhancing real-time decision-making. However, the true trustworthiness of the system is rooted in the KR&R framework, which ensures that data is verified, traceable, and semantically aligned. The combination of KR&R and AI agents ensures that the Hybrid AI Data Fabric can support complex decision-making processes, adaptive threat responses, and federated intelligence sharing in a secure and reliable manner, far beyond just AI automation.