The modern cyberspace, with its increasingly complex attack scenarios and sophisticated modus operandi, is becoming more and more difficult to defend and secure. And given the evolving complexities of the threat landscape, the speed at which events occur, and the vast quantities of data involved, the need of the hour is a machine-readable and easily automatable system for Sharing Cyber Threat Intelligence (CTI) data.
This is where STIX and TAXII come into the picture.
STIX is a structured representation of threat information that is expressive, flexible, extensible, automatable, and readable. Using STIX feeds with TAXII enables organizations to exchange cyber threat intelligence in a more structured and standardized manner, allowing for deeper collaboration against threats.
In this article, we will explore the basics of STIX and TAXII and some of their applications in the cybersecurity space.
What is STIX?
STIX, as per the oasis guide, is “Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI)”.
It’s nothing but a standard defined by the community to share threat intel across various organizations. Using STIX, all aspects of a potential threat such as suspicion, compromise, and attack attribution can be represented clearly with objects and descriptive relationships. STIX is easy to read and consume because it is in the JSON format and it can also be integrated with other popular threat intel platforms such as QRADAR, ThreatConnect etc.
Applications of STIX
(UC1) Analyzing Cyber Threats
A security analyst analyses a variety of cyber threats from different sources every day. During which it is important to analyse various factors of a threat such as its behaviour, modes of operation, capabilities, threat actors etc. The STIX objects make it easier to represent all the data required for analysis easily.
(UC2) Specifying Indicator Patterns for Cyber Threats
An analyst often looks out for patterns in a cyber attack or a threat feed. This includes assessing the characteristics of the threat, the relevant set of observables (Indicators of Compromise (IOCs), attachments, files, IP addresses etc.), and suggested course of action. This data too can be represented well by assigning the required STIX objects to a threat.
(UC3) Managing Cyber Threat Response Activities
Remediating or preventing a cyber attack is the most important role of a security professional. After analysing the threat data, it is expected to plan a proper remedial action plan to safeguard one from future attacks. STIX enables analysts to plan remedial action.
What is TAXII?
TAXII, as per the oasis guide, is “Trusted Automated Exchange of Intelligence Information (TAXII™) and is an application protocol for exchanging CTI over HTTPS. ”
TAXII is a standard that defines a set of protocols for Client and Servers to exchange CTI along with a RESTful API (a set of services and message exchanges).
TAXII defines two primary services to support a variety of common sharing models
Collection: A server-provided repository of objects where TAXII Clients and Servers exchange information in a request-response model.
Channel: When there is more than one producer, and all the producers feed the objects onto the Channels which are then consumed by TAXII clients, TAXII Clients exchange information within a publish-subscribe model.
Note: The TAXII 2.1 specification reserves the keywords required for Channels but does not specify Channel services. Channels and their services will be defined in a later version of TAXII.
TAXII was specifically designed to support the exchange of CTI represented in STIX, and support for exchanging STIX 2.1 content. It is important to note that STIX and TAXII are independent standards and TAXII can be used to transport non-STIX data.
The three principal models for TAXII
1. Hub and spoke – one repository of information
2. Source/subscriber – one single source of information
3.Peer-to-peer – multiple groups share information
Upcoming…
In Part 2 we will delve deeper into STIX architecture, implementation, and usage, and dissect to get a deeper understanding of the different versions of TAXII, and their Client and Server implementations.
References: