STIX stands for Structured Threat Information Expression, which is an open-source language and serialization format used in sharing threat intelligence. Think of it as the vehicle for containing the threat information. Threat intelligence is communicated as objects and is detailed or as brief as the creator would
like. TAXII stands for Trusted Automated Exchange of Indicator Information and is an application protocol that uses HTTPS/HTTP to enable communication. Think of this as the highway for STIX to travel on. These are format standards that enable an easy way to share cyberthreat information throughout the community. They are also used to share threat intelligence between various security tools and teams
internally and with consistency. Different tools can apply different information that is packaged by these feeds to keep your software up to date or your network protected from bad actors. Oasis Open, which maintains the STIX/TAXII standards, has a nice visualization of the information contained in a STIX-formatted threat
report. One of the key principles and advantages of the STIX/TAXII paradigm is the sourcing of its data. Many feeds go the traditional route of using automated honey pots or API integration to VirusTotal and other malware sandboxing services to create actionable threat intelligence. These are all great sources, but one of the advantages to using STIX/TAXII is the ability to crowdsource this information. The community can follow the
standards and submit threat information that can then ripple through the community to provide protection to others as soon as they encounter new threats. These standards do not have to be applied simply to open data. Highly sensitive networks that encounter targeted attacks from threat actors can maintain their own STIX/TAXII feeds that can be updated internally and applied throughout their network. This also makes it possible to apply the STIX/TAXII paradigm to networks without internet
access, as long as you supply the feeds with enough information to continue to be useful. The STIX standard provides an object-based way to organize your threat intelligence. This makes it easy to use the information you would need to make decisions to protect your network. These objects are represented in relationships to other objects, giving you a precise understanding of the threat you are investigating. For example, here is a STIX campaign object
represented in JSON provided by Oasis Open: This Campaign object could be bundled with other objects in relation to it. For instance, maybe there is a certain malware that has been associated with this campaign and we want to monitor for its hash signature. Other times, domains for command and control servers or URLs of phishing sites are provided. There are currently 18 STIX objects available to classify threat information and these can be bundled together or pointed to each other, indicating certain types of relationships to help describe threats. List of feedsMany feeds require licensing or product purchasing, but there are some free feeds out there as well. This is not a comprehensive list but may help you get started in the right direction:
Check out Plixer’s new product, Plixer Security Intelligence, which integrates with STIX/TAXII, so you can be alerted and make informed decisions based on the most up-to-date threat intelligence.
Dylan MclaughlinDylan is a Technical Support Engineer with Plixer. When he's not in front of a computer, you can find him hiking or kayaking around New England. In the ever-shifting landscape of cyberattacks, sharing threat intelligence and collaborating with industry peers to improve threat detection, analysis, and mitigation has become paramount for organizations. With shared threat intelligence, security teams not only get a better understanding of the threat landscape but also gain insights into better practices followed by others in the industry. While there are many sources available commercially and publicly for acquiring threat intelligence, but sharing threat intelligence within a community formed of organizations with similar cybersecurity interests helps provide insights into several aspects of threats. However, such information sharing communities need to standardize certain aspects of threat intelligence sharing such as what kind of threat information should be shared, which structure will ensure the efficient parsing of threat data as well as how accurate is the information that is shared. Given the speed at which cyber threats occur and the vast amount of data involved that needs to be analyzed and shared, organizations need a standard format to describe the information and a means to share the threat intelligence for everyone’s benefit. Moreover, the entire process of sharing must be fast and convenient. How STIX and TAXII Improve Threat Intelligence Sharing?Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) address the aforementioned questions by making information consumable and shareable in a standardized format. They are two open, community-driven standards that allow the automated sharing of cybersecurity threat information. STIX and TAXII enhance the overall sharing strategy and facilitate a collaborative security strategy between organizations against cybersecurity threats. In technical terms, STIX and TAXII are not sharing programs, tools, or software, but rather components and standards that support the automated expression of cyber threat information. While STIX defines ‘What’ of a potential threat, TAXII defines ‘How’ the information is transmitted. Both standards were originally developed at MITRE under the supervision of the Department of Homeland Security (DHS), the Office of Cybersecurity and Communications (CS&C), the National Cybersecurity and Communications Integration Center (NCCIC), and the US-CERT. In 2015, the ownership of the standards was shifted to the Organization for the Advancement of Structured Information Standards (OASIS) and continues to be maintained by them. What is STIX?Structured Threat Information eXpression (STIX) is a programming language for representing cyber threat intelligence in a standardized and structured format. STIX enables organizations to share threat intelligence with one another in a consistent and machine-readable manner, allowing security teams to better understand cyberattacks and respond to them more effectively. With STIX structure, security teams can describe a threat in various aspects such as:
STIX was first presented in 2012 to describe cyber threat information and since then has undergone multiple changes. Over the years, the standard has been overhauled to include multiple properties for expressing various kinds of threat information based on the type of attacks. For expressing information about cyber threats in a structured way, STIX is built on three components:
STIX 2.x vs STIX 1.xMany organizations are increasingly adopting the new STIX 2.x standards that are more streamlined than the older STIX 1.x versions. Due to a different approach followed, STIX 2.x sets a strong foundation for developing threat intelligence solutions and also provides flexibility for adding more features through new Standard Domain Objects (SDOs). Unlike STIX 1.x which was defined via XML, STIX 2.x objects are represented using JSON, a language that is mostly favored by developers. In STIX 2.x, all SDOs are top-level and can be linked with each other using a named relationship type, which was a major drawback in STIX 1.x. Because certain object types in STIX 1.x are not top-level and are embedded in other objects, it was challenging to express a relationship between two objects and hence was not effective in the shared knowledge needed for cyber threat intelligence. There are currently 18 top-level objects available under STIX 2.1 to identify threat data and can be linked to each other to indicate certain types of relationships to aid in the classification of threats. These 18 objects are:
Benefits of STIX
What is TAXII?Trusted Automated eXchange of Indicator Information (TAXII) is an application layer protocol that enables sharing of actionable threat information across organizations, products, and services. It empowers organizations to achieve situational awareness about emerging threats, whilst enabling them to further share the information with partners as they need. The core components of TAXII include:
What Formats and Protocols does TAXII Support?TAXII is used in conjunction with STIX and supports the exchange of threat information over HTTP/HTTPS message protocols. Just like in STIX, multiple new features have been added to TAXII since the first version 1.1 was released in 2012. TAXII 2.x is the latest version and is considered an augmentation of the older version of TAXII 1.x. While the previous versions were designed to align with XML-based STIX format, the new versions of TAXII are format-agnostic and do not rely on any specific threat intelligence format. As the current versions of TAXII are not tied to any specific format or message protocol, they can accommodate multiple threat-sharing communities with different networking protocols and message format constraints. What are TAXII Server and TAXII Client?They are defined by their role in the threat intelligence exchange process. TAXII server acts as a central hub that shares standardized and anonymized threat intelligence. It serves as a platform for exchanging and gathering Indicators of Compromise (IoCs) that have been deidentified to safeguard privacy. TAXII server can also be used to compare intel about malware (identified in the traffic logs) and shared in a structured manner to benefit others. On the other hand, TAXII Client enables easy ingesting and sharing of threat intelligence from the TAXII Server. An advanced TAXII Client fetches valuable threat intelligence from STIX intelligence feeds, threat intelligence provider feeds, and Threat Intelligence Platforms (TIP). It also enables an organization acting as a Client to share intelligence with the TAXII Server. What are TAXII Collection and Channel?TAXII Server and Client are built on two defined services that can support a variety of threat-sharing models. They are: Collection: In this, TAXII Client and Server exchange information in a request-response manner. The Server acts as a repository of cyber threat intelligence objects. Channel: In this, TAXII Clients, with TAXII Server at the center, can exchange information with other TAXII Clients in the publish-subscribe model. Here TAXII Server acts as a channel to push the data from one client to different clients. STIX/TAXII Threat Sharing ModelsTAXII enables machine-to-machine sharing of threat intelligence by defining an API that supports common sharing models. These are: Hub and Spoke Model: In this, one principal organization acts as Hub and either collects or shares information with other organizations acting as Spokes. In case, one Spoke wants to share any piece of information with other Spokes, it first shares that information with the Hub, which is passed on to all other Spokes after analyzing, and enriching it. A Hub may also gather information from other non-spoke sources such as regulatory bodies, commercial threat intelligence feed providers, and OSINT sources, among others to share contextualized information with Spokes. Peer-to-Peer Model: It is a decentralized communication model where organizations share equal capabilities. Since there are no client/server activities, any organization can share threat intelligence directly with each other. Source and Subscriber Model: In this sharing model, one organization acts as the single source of sending information to all subscribers. However, those consuming the intelligence do not share back threat intelligence with the hub. The source can be an Open-Source Intelligence (OSINT), or a publicly available threat report-sharing entity. Why Hub and Spoke is the Most Widely Used Model?In our evermore connected world, managing cyber threats has become more difficult than ever and it is not possible for an organization to defend itself by working in a silo. To tackle sophisticated cyber threats, the Hub and Spoke model, which enables two-way sharing of information, has proven more beneficial than others by enabling advanced situational awareness, improved decision-making, and security collaboration. The uniqueness of this model lies in the way it removes duplicate and redundant threat information before being shared with Spokes. Organizations using Threat Intelligence Platform (TIP) can set up a Hub that combines and anonymizes threat intel from different Spokes, after which only authentic and enriched data are shared with other Spokes that can be used for further analysis. The effectiveness of this model also lies in the way it enables a private organization to build a trusted sharing community by facilitating bidirectional sharing of threat intelligence. By leveraging this model, a central organization can act as a central Hub and can create its own community with its vendors, peers, clients, and partners and share threat intelligence with them in a bi-directional fashion. Using the Hub and Spoke sharing model, organizations can also ingest real-time information from CERTs or other government or regulatory agencies, collaborate with sectoral ISACs and ISAOs, as well as exchange indicators with their clients and vendors. With access to relevant threat intelligence, organizations can accelerate investigation and alert triage processes against an incident in real time. Benefits of TAXII
Cyware CTIX: The Best STIX/TAXII-based Threat Intelligence PlatformThe key to successfully addressing sophisticated threats is collaboration-driven threat intelligence sharing. Cyware Threat Intelligence eXchange (CTIX) is an advanced STIX/TAXII-based Threat Intelligence Platform (TIP) that leverages Hub and Spoke model to automate bi-directional threat intelligence sharing and enables effective collaboration between threat-sharing communities including ISACs/ISAOs and private sharing communities. It empowers security teams with automated multi-source threat data ingestion in a variety of formats including STIX 2.x, threat enrichment, analysis, scoring, and sharing of actionable threat intelligence. CTIX normalizes, correlates, and enriches raw threat data to deliver high-fidelity, contextualized threat intelligence to be shared with security teams, and other stakeholders based on their roles and needs. CTIX further facilitates automated actioning of threat data in detection, analysis, and response platforms including SIEM, EDR/NDR, UEBA, Incident Response (IR), Vulnerability Management, and other platforms. To learn more about Cyware CTIX and how it facilitates the operationalization of threat intelligence using STIX and TAXII, book a free demo! What are four types of cyber threat intelligence?Cyber Threat Intelligence is mainly categorized as strategic, tactical, technical, and operational.. Strategic Threat Intelligence. ... . Tactical Threat Intelligence. ... . Technical Threat Intelligence. ... . Operational Threat Intelligence.. What is Taxii protocol?Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers.
What is the cyber threat intelligence process?Cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information.
Which of the following is a language and format used to exchange cyber threat intelligence?Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).
|