STIX & TAXII in Cyber Threat Intelligence
The OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) has established the STIX and TAXII standards, which make it easier to share cyber threat intelligence between organizations.
STIX and TAXII are free, open, community-driven standards, and are sponsored by the U.S. Department of Homeland Security (DHS) and supported by MITRE.
STIX (Structured Threat Information Expression)
STIX is a language used to communicate CTI between organizations in a consistent, machine-readable way. There are objects and relationships between those objects. Some of the objects are:
- Attack Pattern: how adversary attempts to compromise targets; a type of TTP
- Campaign: a group of adversarial behaviors over a period of time, targeting a set of targets
- Course of Action: recommended response to the intel
- Indicator: pattern to detect suspicious or malicious activity
- Location: geographic location
- Malware: type of TTP that represents malware
- Threat Actor: individual or group believed to be acting maliciously
- Vulnerability: vulnerability which can be compromised
Objects are related like this: an indicator indicates a campaign which targets a vulnerability, and is attributed to a threat actor.
TAXII (Trusted Automated Exchange of Indicator Information)
TAXII is the framework for transporting STIX data. Just like a taxi is a vehicle to transport people, TAXII is a vehicle to transport STIX data. TAXII is an application protocol for exchanging STIX data over HTTPS. There are two primary services:
- Collection: an interface to a local repository of CTI objects that can be requested by consumers; a request-response model
- Channel: a way for producers to push data to consumers; a publish-subscribe model
TAXII is flexible, able to be used in a variety of threat-sharing models, including hub-and-spoke, peer-to-peer, and source-subscriber.
At one point there was CybOX (Cyber Observable Expression), a schema for categorizing cyber observables (events or stateful properties). CybOX was merged with TAXII in 2018.
How STIX and TAXII are Used
Organizations can send and/or receive CTI using STIX and TAXII. If an organization experiences an attack, it can analyze it and share the resulting CTI using STIX and TAXII, so other organizations can detect and defend against similar attacks.
Information Sharing and Analysis Centers (ISACs) use STIX and TAXII to exchange CTI. ISAC members can benefit from the shared CTI. For example, if a financial institution shares CTI via the Financial Services ISAC (FS-ISAC), other members in the financial industry can receive that CTI and act on it.
Threat Intelligence Platforms (TIPs) can ingest CTI via STIX, making it available to the analysts using the TIP.
Because STIX includes objects that include details about attacks, analysts can benefit from what others have learned, studying the incident and applying the intel to their own organizations.
