In today’s threat landscape, sharing cyber threat intelligence is of the essence. If an organization’s security teams and technologies work in silos, it cannot succeed in defending against advanced threats. It is important to understand adversaries’ behavior and their tactics, techniques, and procedures (TTPs) to gain valuable insights into their objectives and strategies and TAXII helps achieve that by enabling threat intelligence sharing between organizations using STIX standards. Trusted Automated Exchange of Intelligence Information (TAXII) is an application layer protocol for sharing cyber threat intelligence between different organizations, boosting situational awareness. In simpler terms, TAXII is an open transport mechanism for the communication of threat information in a simple, standardized, and scalable fashion.
TAXII - The Transport Mechanism
TAXII allows for sharing of indicators and data in a way that can be automated, including supporting the exchange of more than just indicators. It is the preferred exchange mechanism for Structured Threat Information Expression (STIX), which is a language and serialization format used for exchanging cyber threat intelligence. TAXII enables organizations to share threat intelligence by defining an API that cooperates with common sharing models like Source/Subscriber, Hub-and-Spoke Model, and Peer-to-Peer. Besides a RESTful API, TAXII defines a set of requirements—Collections and Channels—for TAXII Clients and Servers.
What is a TAXII Server?
TAXII Server is like a database of indicators of compromise (IOCs) and other information that is used in cyber threat intelligence. A TAXII Client can read or write to this data on a certain TAXII Server.
A TAXII Server makes it easier for users to share and collect contextualized cyber threat intelligence. It offers a venue for sharing and collecting indicators of compromise (IOCs), but it also provides opportunities for comparing information about suspicious activities.
What is a TAXII Client?
Can a TAXII Client send data to other servers and clients? Can a TAXII Client receive data from other servers and clients? The answer is yes. A TAXII Client can send as well as receive data to/from other servers and clients.
TAXII Client is a REST Client that allows you to connect to a TAXII Server, get updated with the latest cyber threat intelligence from the server, and then import it into your local database. Also, it has the ability to help you manage multiple TAXII Servers at once, and you do not have to worry about server limitations like only allowing 100 or fewer connections a day.
What is a TAXII Collection?
A TAXII Collection is an interface to a database of cyber threat intelligence objects provided by a TAXII Server and is used by TAXII Clients to send information to the TAXII Server or request information from the TAXII Server. In one API Root, multiple TAXII Collections can be hosted by a TAXII Server, and these Collections are employed to exchange information in a request-and-response fashion. In simpler terms, a TAXII Collection can be used when a single TAXII Client makes a request to the TAXII Server and that Server fulfills the request.
What is a TAXII Channel?
Maintained by a TAXII Server, a TAXII Channel is a publish and subscribe communication channel used by TAXII Clients to exchange information with other TAXII Clients. Channel-based communication is used when a TAXII Client sends information to the TAXII Server, and that information is distributed to all the other TAXII Clients connected to the TAXII Channel. In an API Root, multiple TAXII Channels can be hosted by a TAXII Server.
When it comes to connecting with cyber threat intelligence providers, TAXII Server and TAXII Client applications are required for the source and collection entities involved in the sharing mechanism. Let’s dig deeper into TAXII Server and TAXII Client and how they differ from one another.
TAXII Server vs. TAXII Client
While both TAXII Clients and Servers exchange information in a request-response model, a TAXII Server is an entity that provides access to threat information on behalf of itself or another entity and one or more TAXII Clients may interact with it. The TAXII Server provides access to one or more Collections containing threat information, each Collection containing one or more pieces of content.
The act of retrieving and sending threat information is called “polling.” The TAXII Client polls the TAXII Server, requesting threat information, and the TAXII Server responds with the requested threat information (and/or an error response). Polling does not have a defined time period associated with it, so no time-based constraints apply. Simply put, a TAXII Client can request specific content from a TAXII Server by specifying a set of filters included in the request to the server.
While TAXII Client only provides developers with the support to interact with TAXII Services, TAXII Server enables developers to implement those TAXII Services for threat intelligence producers and consumers. In a broader sense, both TAXII Clients and TAXII Servers are defined by their role in threat intelligence sharing and not how they are built.
Share and Collect Threat Intel with CyTAXII
Cyware Threat Intelligence eXchange (CTIX) is a next-generation connected threat intelligence platform that automates the ingestion, enrichment, analysis, and dissemination of threat data to internal security tools, teams, and stakeholders, and a trusted external network. CTIX follows the hub-and-spoke model for bidirectional threat data exchange, with a central hub or a server sharing threat intelligence with spokes in a bi-directional fashion. Moreover, Cyware offers CyTAXII, an open-source TAXII Client that enables security teams to easily ingest and share threat intelligence in the latest STIX formats. Any organization using a threat intelligence platform such as CTIX can leverage CyTAXII to accelerate threat intelligence sharing capabilities with its vendors, peers, business units, etc. Book a free demo to learn more about Cyware's Threat Intel Platform Solutions.