In recent years, STIX and TAXII have sprung up as the two buzzwords in the cybersecurity landscape but they are still not well known and understood by the entire cybersecurity community. In this article, we will provide a brief overview of what they are, and why were they designed in the first place.
The STIX project wiki defines STIX as, “Structured Threat Information Expression (STIX) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner.” But what does that mean?
In the modern threat landscape, it is becoming ever more crucial for organizations to develop cyber threat intelligence capabilities to stay ahead of the new threats. In this scenario, sharing of threat information between organizations becomes a key priority and facilitating that creates a need for one standardized and structured representation of threat information.
Here’s where STIX comes into the picture. It started off as a community-driven effort to develop a language for sharing structured threat intel which has very quickly become the industry standard in use with countless cybersecurity products and professionals.
One of the key features of STIX is that it is human-readable and also programmable which makes it a perfect fit for organizations where employees in different roles need to collaborate on key security decisions.
STIX language consists of 9 key constructs and the relationships between them as seen in the diagram below.
Source: STIX Project wiki
STIX has two main components, namely STIX Data Objects (SDOs) which contain the parameters describing any intel, and STIX Relationship Objects (SROs) which help establish the relationships between various SDOs and their parameters.
SDOs contain various key parameters describing an incident like Observables, Indicators (IOCs), Incidents, and Exploit Targets. Apart from this, it contains parameters related to the threat actors like Adversary Tactics, Techniques, and Procedures (TTP), Threat Actors, and Campaigns. It also has additional parameters including Course of Action and Reports to share further information for an effective threat response.
Although SDOs provide a lot of important details about any threat, SROs can further enhance the threat analysis by providing contextual information. The relationships expressed by SROs can be of two types - Association and Composition.
Association relationships link two distinct SDOs on basis of a shared contextual detail. On the other hand, Composition relationships link two such components where one of them is fully described by also including the other related component as a part of the analysis.
Thus, the combination of SDOs and SROs can effectively describe any cyber threat along with its associated threat actors, patterns, campaigns, and more.
TAXII, a step further
The next question in your mind would naturally be about the other buzzword - TAXII. Once we understand the concept of STIX, it gives us an opportunity to build applications that can communicate with STIX objects to further leverage its capabilities. TAXII was conceived for this exact purpose.
Trusted Automated Exchange of Intelligence Information (TAXII) is an application layer protocol specially designed to enable the exchange of STIX objects for facilitating cyber threat intel sharing and communication.
TAXII runs over HTTPS which also makes it secure and suitable for building online services that can consume and process STIX objects. It provides the developers an ability to build TAXII servers and TAXII clients which can communicate with each other in a request/response manner.
TAXII provides three sharing models:
- Hub and Spoke - one central clearinghouse
- Source/Subscriber - a single organization is the source of information
- Peer-to-Peer - multiple organizations sharing information with each other
The client-server model of TAXII protocol enables cybersecurity product providers to build applications for organizations that can aggregate threat intelligence from various sources and provide an eagle’s eye view of the threat landscape or even specific intelligence as per the requirements.
Together, both STIX and TAXII enable organizations to exchange cyber threat intelligence in a more structured and standardized manner paving way for deeper collaboration against threats.