Leveraging STIX and TAXII for better Cyber Threat Intelligence (Part 1)

Leveraging STIX and TAXII for better Cyber Threat Intelligence

The modern cyberspace, with its increasingly complex attack scenarios and sophisticated modus operandi, is becoming more and more difficult to defend and secure. And given the evolving complexities of the threat landscape, the speed at which events occur, and the vast quantities of data involved, the need of the hour is a machine-readable and easily automatable system for Sharing Cyber Threat Intelligence (CTI) data.

This is where STIX and TAXII come into the picture.

STIX is a structured representation of threat information that is expressive, flexible, extensible, automatable, and readable. Using STIX feeds with TAXII enables organizations to exchange cyber threat intelligence in a more structured and standardized manner, allowing for deeper collaboration against threats.

In this article, we will explore the basics of STIX and TAXII and some of their applications in the cybersecurity space.

What is STIX?

STIX, as per the oasis guide, is “Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI)”.

It’s nothing but a standard defined by the community to share threat intel across various organizations. Using STIX, all aspects of a potential threat such as suspicion, compromise, and attack attribution can be represented clearly with objects and descriptive relationships. STIX is easy to read and consume because it is in the JSON format and it can also be integrated with other popular threat intel platforms such as QRADAR, ThreatConnect etc.

Applications of STIX

(UC1) Analyzing Cyber Threats

A security analyst analyses a variety of cyber threats from different sources every day. During which it is important to analyse various factors of a threat such as its behaviour, modes of operation, capabilities, threat actors etc. The STIX objects make it easier to represent all the data required for analysis easily.

(UC2) Specifying Indicator Patterns for Cyber Threats

An analyst often looks out for patterns in a cyber attack or a threat feed. This includes assessing the characteristics of the threat, the relevant set of observables (Indicators of Compromise (IOCs), attachments, files, IP addresses etc.), and suggested course of action. This data too can be represented well by assigning the required STIX objects to a threat.

(UC3) Managing Cyber Threat Response Activities

Remediating or preventing a cyber attack is the most important role of a security professional. After analysing the threat data, it is expected to plan a proper remedial action plan to safeguard one from future attacks. STIX enables analysts to plan remedial action.Remediating or preventing a cyber attack is the most important role of a security professional. After analysing the threat data, it is expected to plan a proper remedial action plan to safeguard one from future attacks. STIX enables analysts to plan remedial action.

 

What is TAXII?

TAXII, as per the oasis guide, is “Trusted Automated Exchange of Intelligence Information (TAXII™) and is an application protocol for exchanging CTI over HTTPS. ”

TAXII is a standard that defines a set of protocols for Client and Servers to exchange CTI along with a RESTful API (a set of services and message exchanges).

TAXII defines two primary services to support a variety of common sharing models

Collection: A server-provided repository of objects where TAXII Clients and Servers exchange information in a request-response model.

Channel: When there is more than one producer, and all the producers feed the objects onto the Channels which are then consumed by TAXII clients, TAXII Clients exchange information within a publish-subscribe model.

The TAXII 2.1 specification reserves the keywords required for Channels but does not specify Channel services. Channels and their services will be defined in a later version of TAXII.

Note: The TAXII 2.1 specification reserves the keywords required for Channels but does not specify Channel services. Channels and their services will be defined in a later version of TAXII.

TAXII was specifically designed to support the exchange of CTI represented in STIX, and support for exchanging STIX 2.1 content. It is important to note that STIX and TAXII are independent standards and TAXII can be used to transport non-STIX data.

The three principal models for TAXII

1. Hub and spoke – one repository of information

Hub and spoke – one repository of information
2. Source/subscriber – one single source of information

Source/subscriber – one single source of information

3.Peer-to-peer – multiple groups share information

Peer-to-peer – multiple groups share informationUpcoming…

In Part 2 we will delve deeper into STIX architecture, implementation, and usage, and dissect to get a deeper understanding of the different versions of TAXII, and their Client and Server implementations.

References: 

  1. https://oasis-open.github.io/cti-documentation/taxii/intro.html
  2. https://oasis-open.github.io/cti-documentation/stix/intro 
  3. https://www.first.org/resources/papers/munich2016/wunder-stix-taxii-Overview.pdf
  4. https://stixproject.github.io
Anjana Sathyan
Lead, Client Engagement team , CloudSEK
She leads the Client Engagement team and is a cybersecurity enthusiast.
This is Alt
Lead Cyberintelligence Editor, CloudSEK
Total Posts: 3
Deepanjli is CloudSEK’s Lead Technical Content Writer and Editor. She is a pen wielding pedant with an insatiable appetite for books, Sudoku, and epistemology. She works on any and all content at CloudSEK, which includes blogs, reports, product documentation, and everything in between.
×
Anjana Sathyan
Lead, Client Engagement team , CloudSEK
She leads the Client Engagement team and is a cybersecurity enthusiast.
Latest Posts
  • Leveraging STIX and TAXII for better Cyber Threat Intelligence

Submit your response

Your email address will not be published.

four × 1 =