In the past several years, there has been an increase in the demand for faster and more efficient methods of sharing and exchange of threat intelligence between security teams. To store, organize, and exchange the cyber threat data in a systematic manner, standards like STIX have been developed. In this guide, we will have a look at how the STIX framework has evolved to keep up pace with the rapidly changing cyber threat intelligence sharing dynamics.
What is STIX?
Structured Threat Information Expression (STIX) is a language and serialization format developed for exchanging Cyber Threat Intelligence (CTI). It is an open-source platform that allows easy representation of all aspects of any cybersecurity threat, including suspect, compromise, and attribution among multiple objects and entities.
One of the main purposes of STIX is to allow organizations to share threat intelligence in a machine-readable format in an automated or semi-automated fashion. At the same time, it also allows an efficient visual representation of all the available information for faster analysis. Doing so allows security teams to provide better insights into how attackers target organizations, and how they can predict or respond to those attacks in a more efficient way. Threat intelligence sharing using STIX benefits security teams in automated threat data exchange, threat analysis, automated detection, and response.
Evolution from STIX 1.x to STIX 2.x
STIX 1.0 was released in February 2014. It was useful, yet it lacked several aspects like it involved a complex format that was difficult to implement. Moreover, it left a good scope of ambiguity between different tools, even though they may be individually implemented using STIX 1.0 specifications. For example, there is a possibility that some vendor developing an endpoint protection agent may be following all norms of STIX 1.0, and still, his tool may not be able to communicate with a threat intelligence platform (TIP) developed by a different vendor, even when this second vendor is also following STIX 1.0 specifications. Therefore, the creators of STIX significantly redesigned and skipped some of the programmatic objects, and defined properties in the STIX 1.2.1 version that was released in May 2016. STIX 2.0, released in 2017, was a big leap forward, in which the base document format was changed from XML to JSON. It supported one single way to define indicators and provided support for temporal relationships. Later, STIX 2.1 was released in March 2020, in which the new objects and features were added to create an iterative approach to fulfilling basic consumer and producer needs for cyber threat intelligence sharing.
What Objects are Supported in STIX 2.1?
STIX Objects are categorized as each piece of information with certain attributes to be populated. Chaining various objects along with relationships allows for meaningful structuring and presentation of cyber threat intelligence. These objects are divided into
- STIX Core (includes STIX Domain Objects (SDO),
- STIX Cyber-observable Objects (SCO),
- STIX Relationship Objects (SRO),
- Meta (includes Language Content Objects),
- Marking Definition Objects, and
- STIX Bundle Objects
The STIX 2.1 has around 18 STIX Domain Objects which are higher-level intelligence objects to show behaviors and threat analysts would create or work with while understanding the threat landscape.
- Attack Pattern: Types of tactics, techniques, and procedures (TTPs) that explain how threat attackers try to target victims.
- Campaign: A grouping of the behaviors of adversaries, that explains a set of malicious activities or attacks that happen periodically against a certain set of targets.
- Course of Action: A recommendation from a producer of cyber threat intelligence to a consumer on the actions to be taken in response to that intelligence.
- Grouping: Explicitly identifies the shared context between the referenced STIX Objects which is the opposite of the STIX Bundle that only conveys information without any context.
- Identity: It represents actual individuals, organizations, or groups along with classes of individuals, organizations, systems, or groups (for example, the manufacturing sector). It is used to represent entities like identities of threat actors, targets of attacks, information sources, object creators, etc.
- Indicator: This object provides information on the patterns that can be used to identify malicious or suspicious cyber activity.
- Infrastructure: A type of TTP that explains any systems, software services, and associated physical or virtual resources meant to support some purpose.
- Intrusion Set: A grouped set of attacker’s behaviors and resources with common properties believed to be launched by a single organization.
- Location: This object represents a geographic location.
- Malware: A type of TTP that describes a malicious code.
- Malware Analysis: A metadata and results of a certain static or dynamic analysis performed on malware or family.
- Note: This is used to add additional informative text to provide more context and additional analysis not included in the STIX Objects, Marking Definition objects, or Language Content objects to which the Note relates.
- Observed Data: Shares details about cybersecurity-related entities such as systems, files, and networks using the STIX Cyber-observable Objects (SCOs).
- Opinion: An inspection of the correctness of the details in a STIX Object produced by a different entity.
- Report: A collection of threat intelligence aimed at one or more topics, such as a description of a threat actor, malware, and attack technique.
- Threat Actor: Actual individuals, groups, or organizations considered to be operating with ill intent.
- Tool: A genuine software that is used by attackers to perform attacks.
- Vulnerability: A flaw in software that is directly used by an attacker to gain access to a system or network.
How STIX 2.x is Different From STIX1.x?
STIX 2.x can be considered as a leap forward from STIX 1.0. In the 2.x version, several new additions have been made in terms of defining objects and relationships between objects. This provides flexible ways to write attack theories with detailed information about all the elements involved. STIX 2.x differs from STIX 1.x in the following manner:
Shift from XML to JSON
The STIX 2.x is based on JSON serialization, while STIX 1.x was defined using an XML. However, JSON is more lightweight and enables an easier expression of threat intelligence semantics. It is simpler to use and mostly favored by developers.
STIX Domain Objects (SDO)
All used objects in STIX 2.x are top-level, instead of being added to other objects. These objects are named STIX Domain Objects (SDO). Some object properties use reference to different Object IDs directly, though most of the relationships are defined using the top-level Relationship object. The generic TTPs and Exploit Target types from STIX 1.x are separated into top-level objects (Attack Pattern, Malware, Tool, and Vulnerability) with specific goals in STIX 2.x.
Relationships are Now Top-Level Objects
STIX 2.x provides a top-level Relationship object that links two other top-level objects using a named relationship type. The STIX 2.x content can be considered as a connected graph, where edges are Relationship Objects and nodes are SDOs. The STIX 2.x specification offers different named relationships as suggestions to the users, yet allows content producers to define them on their own relationships as well.
In STIX 1.x, relationships are embedded in other objects. The STIX 1.x specification limits the types of relationships supported. Because STIX 1.x relationships were not top-level objects, a user could not express a relationship between two objects without making changes to one of them. Using the new Relationship object, others (excluding original content creators) can easily add to the shared knowledge independently.
The STIX 1.x shows a common set of features that are mostly used and easily understood while many other features lack shared understanding and have only limited use. Further, almost all properties of objects are optional. Usually, it is thought that the breadth of STIX 1.x is limited in terms of sharing intelligence and requires a formal agreement among threat-sharing groups on what should be shared (such as profiles). However, STIX 2.x has a different approach, where many properties are needed, and the number of objects and properties are limited to a core set of features.
The STIX 2.x has two types of data markings, one is object marking that is applied to a whole object, and the other is granular markings, applied to a property or properties of an object. Data markings scope is defined within an object.
Indicator Pattern Language
Indicator patterns in STIX 1.x are defined using XML syntax. Due to this, the simplest patterns are difficult to create and understand. While, the STIX 2.x follows a different approach, where specifying a language for patterns is separate from the serialization language. The patterns written in the STIX patterning language are smaller and easy to read. Further, there is no confusion between patterns and observations, as a pattern is not a top-level object (it is a property of an indicator object).
Share Threat Intelligence in STIX 2.x Format with CTIX
It ingests data in all formats (PDF, CSV, JSON, STIX/TAXII) from a multitude of internal and external sources; normalizes, deduplicates analyzes, correlates, and enriches this data; continually pushes finished threat intelligence into other security and IT technologies in the organization, and shares relevant intel with security teams and other stakeholders based on their specific roles and needs. CTIX also enables the exchange of relevant threat information with trusted third parties (both public and private).
CTIX follows the hub-and-spoke model for bidirectional threat data exchange, with a central server or a central organization or team disseminating relevant intel to all connected tools or entities while also ingesting data from these systems. By integrating with security tools across an organization’s internal network, the platform enables threat intelligence delivery to detection sensors in real time, significantly improving the speed of detection and response. To learn more about different threat data standardization formats and CTIX features, book a free demo now!