In the ever-shifting landscape of cyberattacks, sharing threat intelligence and collaborating with industry peers to improve threat detection, analysis, and mitigation has become paramount for organizations. With shared threat intelligence, security teams not only get a better understanding of the threat landscape but also gain insights into better practices followed by others in the industry. While there are many sources available commercially and publicly for acquiring threat intelligence, but sharing threat intelligence within a community formed of organizations with similar cybersecurity interests helps provide insights into several aspects of threats. However, such information sharing communities need to standardize certain aspects of threat intelligence sharing such as what kind of threat information should be shared, which structure will ensure the efficient parsing of threat data as well as how accurate is the information that is shared. Given the speed at which cyber threats occur and the vast amount of data involved that needs to be analyzed and shared, organizations need a standard format to describe the information and a means to share the threat intelligence for everyone’s benefit. Moreover, the entire process of sharing must be fast and convenient.
How STIX and TAXII Improve Threat Intelligence Sharing?
Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) address the aforementioned questions by making information consumable and shareable in a standardized format. They are two open, community-driven standards that allow the automated sharing of cybersecurity threat information. STIX and TAXII enhance the overall sharing strategy and facilitate a collaborative security strategy between organizations against cybersecurity threats.
In technical terms, STIX and TAXII are not sharing programs, tools, or software, but rather components and standards that support the automated expression of cyber threat information. While STIX defines ‘What’ of a potential threat, TAXII defines ‘How’ the information is transmitted.
Both standards were originally developed at MITRE under the supervision of the Department of Homeland Security (DHS), the Office of Cybersecurity and Communications (CS&C), the National Cybersecurity and Communications Integration Center (NCCIC), and the US-CERT. In 2015, the ownership of the standards was shifted to the Organization for the Advancement of Structured Information Standards (OASIS) and continues to be maintained by them.
What is STIX?
Structured Threat Information eXpression (STIX) is a programming language for representing cyber threat intelligence in a standardized and structured format. STIX enables organizations to share threat intelligence with one another in a consistent and machine-readable manner, allowing security teams to better understand cyberattacks and respond to them more effectively. With STIX structure, security teams can describe a threat in various aspects such as:
STIX was first presented in 2012 to describe cyber threat information and since then has undergone multiple changes. Over the years, the standard has been overhauled to include multiple properties for expressing various kinds of threat information based on the type of attacks.
For expressing information about cyber threats in a structured way, STIX is built on three components:
- STIX Domain Objects (SDOs): It describes key features of a cyber incident like Indicators, Campaigns, The Courses of Action, Threat Actors, Malware, etc.
- STIX Cyber-Observable Objects (SCOs): It includes details about a network or host that was used in a cyberattack. For example, processes that were running during the incident, information about a file that existed, IP addresses, or the network traffic that occurred between the IP addresses can all be collected as observable objects.
- STIX Relationship Objects (SROs): It unifies objects collected under SDOs and SCOs to enhance the threat analysis and provide contextual information about an incident.
STIX 2.x vs STIX 1.x
Many organizations are increasingly adopting the new STIX 2.x standards that are more streamlined than the older STIX 1.x versions. Due to a different approach followed, STIX 2.x sets a strong foundation for developing threat intelligence solutions and also provides flexibility for adding more features through new Standard Domain Objects (SDOs).
Unlike STIX 1.x which was defined via XML, STIX 2.x objects are represented using JSON, a language that is mostly favored by developers. In STIX 2.x, all SDOs are top-level and can be linked with each other using a named relationship type, which was a major drawback in STIX 1.x. Because certain object types in STIX 1.x are not top-level and are embedded in other objects, it was challenging to express a relationship between two objects and hence was not effective in the shared knowledge needed for cyber threat intelligence.
There are currently 18 top-level objects available under STIX 2.1 to identify threat data and can be linked to each other to indicate certain types of relationships to aid in the classification of threats. These 18 objects are:
- Attack Pattern: It describes the way the adversaries attempt to compromise targets
- Campaign: It includes the information about the period during which a specific malicious activity or set of attacks occurred against a set of targets
- Malware: It includes information about the malicious code used in the specific attack(s).
- Malware Analysis: It contains metadata and in-depth analysis of a malware family.
- Grouping: It asserts that the referenced/relevant STIX objects share a context.
- Identity: It provides details about individuals, organizations, groups, or sectors targeted.
- Observed Data: It conveys information observed in STIX Cyber-Observable Objects (SCOs).
- Indicator: It represents pieces of forensic data that can be used to detect malicious activity.
- Opinion: Involves the evaluation of the accuracy of the data showing in a STIX object produced by a different entity.
- Note: It relates to additional informative text that is not available in the STIX objects, Marking Definition objects, or Language Content objects.
- Infrastructure: Represents software, services, systems, or any virtual resources that were a part of a targeted attack.
- The Course of Action: It defines the recommended measures that need to be taken to respond to a specified threat(s).
- Report: Well-documented analysis of a threat actor, malware, or an attack technique.
- Intrusion Set: It focuses on resources used to orchestrate an attack against a target. It also provides details about the attackers depending on the behavior and attack pattern observed.
- Tool: Legitimate software (such as RDP, Nmap) that was used to perform an attack(s).
- Threat Actor: Provides details about threat actors from a nation-state, crime syndicate, or other nefarious organizations, along with their similarities with other cybercriminals.
- Location: It represents the geographic location.
- Vulnerability: An exploit target that was used by attackers to gain unauthorized access into an organization’s network.
Benefits of STIX
- Improves Threat Analysis and investigation: STIX provides a way to perform advanced analysis on data that is collected from multiple sources. By converting the threat data into a common structure, it becomes convenient for security teams to perform advanced analysis on the entire data in one go while identifying hidden threat patterns.
- Assists in Effective Correlation: STIX standard helps facilitate the moval of duplicate data and makes sure that the information shared is in a standardized format. It makes it easier for entire threat information to be analyzed, enriched, and correlated. Security analysts can improve the process of correlating the links or related Indicators of Compromise (IoCs) between pieces of information and get a better visual picture of an incident.
- Facilitates Effective Threat Intelligence Sharing: By structuring the raw threat data in a machine-readable format, STIX’s framework enables sharing of appropriate cyber threat indicators and other cyber threat information that can be used among security teams to gain appropriate levels of consistency, context, and control of a cyber threat.
What is TAXII?
Trusted Automated eXchange of Indicator Information (TAXII) is an application layer protocol that enables sharing of actionable threat information across organizations, products, and services. It empowers organizations to achieve situational awareness about emerging threats, whilst enabling them to further share the information with partners as they need. The core components of TAXII include:
- Services Specification: It defines the requirements that govern TAXII services and message exchanges.
- Message Binding Specification: It defines the requirement for representing TAXII messages in a particular format. There are different Message Binding Specifications for different formats.
- Protocol Binding Specification: It includes the conditions for transporting TAXII messages over network protocols such as HTTP.
- Query Format Specification: It includes the specifications to define query expressions that are used with TAXII messages to provide characteristics against the records they are compared. Depending on the situation, it may include how to express the given format in a particular Message Binding, or this may be handled by a separate Message Binding Specification.
- Content Binding Reference: It is a reference document that includes a list of canonical Content Binding IDs. Using this, TAXII can convey cyber threat information to parties or communities, that they have requested. TAXII leverages the canonical to identify the cyber threat type and format.
What Formats and Protocols does TAXII Support?
TAXII is used in conjunction with STIX and supports the exchange of threat information over HTTP/HTTPS message protocols. Just like in STIX, multiple new features have been added to TAXII since the first version 1.1 was released in 2012. TAXII 2.x is the latest version and is considered an augmentation of the older version of TAXII 1.x. While the previous versions were designed to align with XML-based STIX format, the new versions of TAXII are format-agnostic and do not rely on any specific threat intelligence format. As the current versions of TAXII are not tied to any specific format or message protocol, they can accommodate multiple threat-sharing communities with different networking protocols and message format constraints.
What are TAXII Server and TAXII Client?
They are defined by their role in the threat intelligence exchange process. TAXII server acts as a central hub that shares standardized and anonymized threat intelligence. It serves as a platform for exchanging and gathering Indicators of Compromise (IoCs) that have been deidentified to safeguard privacy. TAXII server can also be used to compare intel about malware (identified in the traffic logs) and shared in a structured manner to benefit others.
On the other hand, TAXII Client enables easy ingesting and sharing of threat intelligence from the TAXII Server. An advanced TAXII Client fetches valuable threat intelligence from STIX intelligence feeds, threat intelligence provider feeds, and Threat Intelligence Platforms (TIP). It also enables an organization acting as a Client to share intelligence with the TAXII Server.
What are TAXII Collection and Channel?
TAXII Server and Client are built on two defined services that can support a variety of threat-sharing models. They are:
- Collection: In this, TAXII Client and Server exchange information in a request-response manner. The Server acts as a repository of cyber threat intelligence objects.
- Channel: In this, TAXII Clients, with TAXII Server at the center, can exchange information with other TAXII Clients in the publish-subscribe model. Here TAXII Server acts as a channel to push the data from one client to different clients.
STIX/TAXII Threat Sharing Models
TAXII enables machine-to-machine sharing of threat intelligence by defining an API that supports common sharing models. These are:
- Hub and Spoke Model: In this, one principal organization acts as Hub and either collects or shares information with other organizations acting as Spokes. In case, one Spoke wants to share any piece of information with other Spokes, it first shares that information with the Hub, which is passed on to all other Spokes after analyzing, and enriching it. A Hub may also gather information from other non-spoke sources such as regulatory bodies, commercial threat intelligence feed providers, and OSINT sources, among others to share contextualized information with Spokes.
- Peer-to-Peer Model: It is a decentralized communication model where organizations share equal capabilities. Since there are no client/server activities, any organization can share threat intelligence directly with each other.
- Source and Subscriber Model: In this sharing model, one organization acts as the single source of sending information to all subscribers. However, those consuming the intelligence do not share back threat intelligence with the hub. The source can be an Open-Source Intelligence (OSINT), or a publicly available threat report-sharing entity.
Why Hub and Spoke is the Most Widely Used Model?
In our evermore connected world, managing cyber threats has become more difficult than ever and it is not possible for an organization to defend itself by working in a silo. To tackle sophisticated cyber threats, the Hub and Spoke model, which enables two-way sharing of information, has proven more beneficial than others by enabling advanced situational awareness, improved decision-making, and security collaboration. The uniqueness of this model lies in the way it removes duplicate and redundant threat information before being shared with Spokes. Organizations using Threat Intelligence Platform (TIP) can set up a Hub that combines and anonymizes threat intel from different Spokes, after which only authentic and enriched data are shared with other Spokes that can be used for further analysis.
The effectiveness of this model also lies in the way it enables a private organization to build a trusted sharing community by facilitating bidirectional sharing of threat intelligence. By leveraging this model, a central organization can act as a central Hub and can create its own community with its vendors, peers, clients, and partners and share threat intelligence with them in a bi-directional fashion. Using the Hub and Spoke sharing model, organizations can also ingest real-time information from CERTs or other government or regulatory agencies, collaborate with sectoral ISACs and ISAOs, as well as exchange indicators with their clients and vendors. With access to relevant threat intelligence, organizations can accelerate investigation and alert triage processes against an incident in real time.
Benefits of TAXII
- Enables Faster Threat Intelligence Sharing: TAXII uses defined data format and message services to automate the exchange of threat information which would otherwise be a daunting task when done manually. As cyber threat information sharing is faster, defenders can receive alerts in real-time.
- Facilitates More Participation and Interoperability: TAXII reduces the technological barriers needed to join threat-sharing communities. It does not depend on specific messaging formats and networking protocols and thus enables more organizations to participate and be more aware of emerging threats. TAXII also eliminates siloization and improves the interoperability between security teams from different organizations by improving their threat intelligence sharing capabilities.
- Secures Transmission of Threat Data: Since TAXII specifies common standard mechanisms for preserving the confidentiality, integrity, delivery, and attribution of information about cyber threats, these features can be incorporated into solutions to automatically provide the necessary level of security and privacy protection. This in turn saves time for the further analysis process required by an organization.
Cyware CTIX: The Best STIX/TAXII-based Threat Intelligence Platform
The key to successfully addressing sophisticated threats is collaboration-driven threat intelligence sharing. Cyware Threat Intelligence eXchange (CTIX)
is an advanced STIX/TAXII-based Threat Intelligence Platform (TIP) that leverages Hub and Spoke model to automate bi-directional threat intelligence sharing and enables effective collaboration between threat-sharing communities including ISACs/ISAOs and private sharing communities. It empowers security teams with automated multi-source threat data ingestion in a variety of formats including STIX 2.x, threat enrichment, analysis, scoring, and sharing of actionable threat intelligence. CTIX normalizes, correlates, and enriches raw threat data to deliver high-fidelity, contextualized threat intelligence to be shared with security teams, and other stakeholders based on their roles and needs. CTIX further facilitates automated actioning of threat data in detection, analysis, and response platforms including SIEM, EDR/NDR, UEBA, Incident Response (IR), Vulnerability Management, and other platforms.
To learn more about Cyware CTIX and how it facilitates the operationalization of threat intelligence using STIX and TAXII, book a free demo!