STIX Cybersecurity: A Guide to STIX 2.1

Table of Contents

How did STIX Evolve?

STIX 2.0 - The Big Leap 

How is STIX 2.1 Different from STIX 2.0?

Share and Receive Threat Intel in STIX 2.1 with Intel Exchange 

View More guides on Cyber Threat Intelligence

STIX Cybersecurity: A Guide to STIX 2.1

  • Cyber Threat Intelligence

Posted on: August 21, 2022

STIX Cybersecurity: A Guide to STIX 2.1
Structured Threat Information Expression (STIX) is a serialization format and language used to exchange cyber threat intelligence (CTI). It is an efficient method of sharing and exchange of threat intelligence. The STIX cybersecurity standard is used to store, organize, and exchange cyber threat data in a systematic manner.

How did STIX Evolve?

STIX also has a long and successful history of evolution. The first version, STIX 1.0 was released in February 2014. It provided a standard framework, comprising 9 key constructs and the relationships among them, which can be used to define and share any cyber threat information. The key constructs include Observables, Indicators, Incidents, Adversary Tactics, Techniques, and Procedures, Exploit Targets, Courses of Action, Campaigns, Threat Actors, and Reports. However, the STIX 1.0 version involved a complex format that was difficult to implement. Thus, STIX 1.0 was significantly redesigned and STIX 1.2.1 was launched in May 2016, in which some of the programmatic objects were skipped, and properties were defined.

STIX 2.0 - The Big Leap 

In 2017, the upgraded version STIX 2.0 was released, which could be considered a paradigm shift in the approach with the merger of STIX and CybOX. In the new standard, STIX 2.0, the base document format was changed from XML to JSON. This upgraded version supported one single way to define indicators and provided support for temporal relationships as well. After that, the most recent STIX 2.1 version was released in March 2020, in which the new objects and features were added to create an iterative approach to satisfy basic producer and consumer requirements for sharing cyber threat intelligence. 

How is STIX 2.1 Different from STIX 2.0?

A STIX Object is classified as each piece of information along with specific attributes to be populated. Chaining different objects along with relationships allow for meaningful structuring of cyber threat intelligence. Further, these objects are separated into STIX Core (includes STIX Domain Objects (SDO), STIX Cyber-observable Objects (SCO), STIX Relationship Objects (SRO), Meta (includes Language Content Objects), Marking Definition Objects, and STIX Bundle Objects. 

STIX 2.1 is different from STIX 2.0 in various ways, including several updates in Objects and their properties.

New Objects

The STIX 2.0 has 12 STIX Domain Objects (SDOs): Attack Pattern, Campaign, Course of Action, Identity, Indicator, Intrusion Set, Malware, Observed Data, Report, Threat Actor, Tool, and Vulnerability.

The STIX 2.1 added 6 new objects: 
  • Grouping: Explicitly assets the shared context between the referenced STIX Objects. This is different from the STIX Bundle which only conveys information without any context.
  • Infrastructure: It represents a type of TTP that explains any systems, software services, and associated physical or virtual resources meant to support some purpose.
  • Location: This object represents a geographic location.
  • Malware Analysis: It represents the metadata and results of a certain static or dynamic analysis performed on malware or family.
  • Note: This is used to add additional informative text to provide more context and additional analysis, which is not included in the STIX Objects, Marking Definition objects, or Language Content objects. Notes can be created by any user, not just the owner of the object.
  • Opinion: An inspection of the correctness of the details in a STIX Object produced by a different entity.

With these new objects, STIX 2.1 now has a total of 18 STIX Domain Objects which provides a set of high-level intelligence objects to depict the behaviors of any object within a cyber security context. Threat analysts could create/work with them while understanding any threat landscape, and then share them with other people or organizations in a standard and consistent format.

Objects Underwent a Significant Change

In STIX 2.1, Malware and Course of Action have been significantly changed. The Malware SDO identifies, characterizes, and classifies malware instances and families from data that may be coming from analysis. Previously it had only 5 properties:
  • type
  • labels
  • name
  • description 
  • Kill_chain_phases

In STIX 2.1, there are several new additions, which can be used to capture contextual data. These new additions include some required properties, such as 
  • malware_types
  • is_family 
  • aliases 

In addition, there are several optional properties, such as 
  • first_seen
  • last_seen
  • os_execution_envs
  • architecture_execution_envs
  • implementation_languages
  • capabilities 
  • sample_refs

Similarly, the Course of Action SDO, which represents some recommendations from a producer of intelligence to a consumer, has several new additions. The STIX 2.0 standard included properties such as type, name, description, and action. In STIX 2.1, in addition to the previous, there are new additions: 
  • os_execution_envs, 
  • action_bin, and 
  • action_reference.

Confidence Score

STIX 2.1 added a new concept of confidence property that identifies the confidence that the creator has in the correctness of their data. The confidence value has to be a number in the range of 0-100. The concept provides a table of normative mappings to other confidence scales that have to be used while presenting the confidence value in one of those scales (e.g. Low, Med, High). If the confidence property is not shown, then the confidence of the content is said to be unspecified.

STIX Cyber-Observable Objects are now Directly Related using STIX Relationship Objects

It was a general consensus that in STIX 2.0, it was not easy to implement various relationships between various entities. Therefore, during the refinement of STIX for the 2.1 specifications, the CTI Technical Committee (TC), which is responsible for the overall development of the STIX project, came up with some major changes in this regard. They reached an agreement that the STIX 2.0 Cyber Observable Container and the Observed Data object's graph inside a graph model were not enough to keep up with critical CTI use cases. Thus, in STIX 2.1, the Cyber Observable Container is discontinued, and STIX Relationship Objects (SROs) were brought into focus. Within the context of the Cyber Observable Container's graph within a graph model, an object relationship is a reference that associates two or more connected SCOs. These relationships are restricted to SCOs included within the same Cyber Observable Container.

A Relationship Added from Indicator to Observed Data

STIX 2.1 added a relationship from Indicator to Observed Data called ‘based-on’ which explains that the indicator was created based on information that came from an observed-data object. For example, an indicator may be created based on an observation of a spear-phishing email or based on the analysis conducted on a piece of malware or threat actor’s infrastructure.

Renamed Conflicting Properties

In STIX 2.1, several conflicting properties have been renamed. This includes properties of Directory Object (which represents the properties common to a file system directory), File Object (represents the properties of a file), Process Object (represents common properties of an instance of a computer program as executed on an operating system), and Registry Key Object (represents the properties of a Windows registry). 

Description Added to Sighting and Name to Location

STIX 2.1 has added a description to Sighting and added a name to Location. In general, a Sighting means a belief that something in cyber threat intelligence (e.g., indicator information, tool, malware, threat actor) was spotted. Sightings are used to track who is the target, how attacks are performed, and trends in attack behavior. The Sighting relationship object is a special SRO; including extra properties not exist in the Generic Relationship object. These extra properties are used to represent STIX data precisely to sighting relationships (e.g., count, showing how many times something was spotted), though the goal of a Sighting can be considered as a Relationship with a name of ‘sighting-of.’ The description property provides additional details and context about the Sightings.

Similarly, the Location represents a geographic location. It is commonly used to provide content to other SDOs, and it is defined in terms of either region, country, or coordinates (latitude and longitude). The ‘name’ property allows researchers to attach a specific name to the location associated with any cyber incident.

SCO Relationships Made External

In STIX 2.1, some of the SCO relationships are made external such as Domain-Name (infrastructure instance communicates with the defined network addressable resource), IPv4-Addr (represents one or more IPv4 addresses expressed using CIDR notation), and IPv6-Addr (represents one or more IPv6 addresses expressed using CIDR notation). 

Share and Receive Threat Intel in STIX 2.1 with Intel Exchange 

Cyware's Intel Exchange (CTIX) - the next-generation threat intelligence platform (TIP) - is capable of ingesting, enriching, and analyzing the threat data automatically. Further, it enables bi-directional threat intelligence sharing within your trusted network. Intel Exchange is compatible with STIX 2.1, which provides an enhanced context to threats. Further, using these objects allows a user to go beyond indicators and observables to get more thorough ideas regarding the actors targeting an organization, allowing the user to create more effective theories of attack. The improved capabilities and changes allow admins to spend less time on data engineering and more time protecting and providing solutions to scale up their cyber defense. 

Intel Exchange’s hub-and-spoke model approach enables a bidirectional threat data exchange. In this approach, a central hub organization or team is responsible for disseminating relevant intel to all connected entities, which act as spokes, while also ingesting data from them bi-directionally. The platform further integrates with multiple security tools across the network, thus enhancing the reach of protection to every detection, analysis, and response technology platform in real time.

To learn more about different threat data standardization formats and Intel Exchange features, book a free demo now!

Share Blog Post

Related Guides

Related Guides

The Virtual Cyber Fusion Suite