28/08/2018
In today's interconnected digital landscape, cyber threats are not just a possibility; they are a constant reality. From sophisticated nation-state attacks to opportunistic ransomware campaigns, organisations face an relentless barrage of malicious activity. To effectively defend against these evolving threats, access to timely, relevant, and actionable cyber threat intelligence (CTI) is paramount. However, merely having intelligence isn't enough; the ability to efficiently share and consume it across diverse security tools and platforms is the true game-changer. This is where STIX and TAXII come into play, offering a standardised and automated framework that revolutionises how threat information is exchanged and utilised.
Imagine a world where every security device, every analyst, and every organisation speaks a different language when describing a cyber attack. The chaos would be immense, and the response painfully slow. STIX and TAXII address this fundamental challenge, providing a common vocabulary and a reliable delivery mechanism for threat intelligence. They are the backbone of modern, collaborative cyber defence, enabling a more proactive and unified stance against digital adversaries.
What Exactly is STIX? The Language of Threats
STIX, an acronym for Structured Threat Information eXpression, is far more than just a data format; it's a meticulously designed, standardised language specifically crafted for describing cyber threat information. Developed collaboratively by MITRE and the OASIS Cyber Threat Intelligence (CTI) Technical Committee, STIX has gained widespread adoption, becoming an international standard embraced by various intelligence-sharing communities and organisations globally.
The fundamental purpose of STIX is to provide a formal, unambiguous way to articulate the multifaceted aspects of cyber threats. It allows security professionals to describe a vast array of threat components, ensuring that when intelligence is shared, all parties interpret it consistently. While the prompt states that it describes 'threat:', it implies a comprehensive scope. In practice, STIX enables the description of:
- Indicators of Compromise (IoCs): Observable artefacts found on a network or operating system that indicate a compromise has occurred. Examples include malicious IP addresses, domain names, file hashes, and email addresses.
- Attacks Patterns and Tactics, Techniques, and Procedures (TTPs): The methods and behaviours used by adversaries to carry out their attacks. This can range from specific malware execution methods to broader campaign strategies.
- Campaigns: Sets of adversarial behaviours and attack patterns that are linked together and manifest in a coordinated series of attacks.
- Threat Actors: The individuals or groups responsible for cyber attacks, including their motivations, capabilities, and typical targets.
- Vulnerabilities: Weaknesses in systems or software that can be exploited by threat actors.
- Incidents: Specific occurrences of a security breach or compromise.
- Courses of Action: Recommended steps to mitigate or respond to a threat.
By providing structured fields for each of these elements and defining their relationships, STIX ensures that machine-readable and human-understandable threat intelligence can be created, consumed, and processed with high fidelity. This standardisation is crucial for enabling automation and reducing the potential for misinterpretation.
What is TAXII? The Delivery Service for Intelligence
If STIX provides the rich, descriptive language for cyber threats, then TAXII, or Trusted Automated eXchange of Indicator Information, is the robust and reliable delivery mechanism. TAXII is a set of open specifications that define how cyber threat information can be exchanged automatically. It acts as the transport layer for STIX messages, enabling efficient and timely dissemination of intelligence between organisations, security devices, and threat intelligence platforms.
TAXII is designed to facilitate automated, machine-to-machine exchange. This means that instead of relying on manual processes like email attachments or ad-hoc file transfers, organisations can set up automated feeds that constantly update their security systems with the latest threat intelligence. This automation is a cornerstone of proactive cyber defence, as it drastically reduces the time between threat discovery and defensive action.
Key components of TAXII include:
- Discovery Service: Allows a TAXII client to find out what services a TAXII server offers (e.g., collection management, polling).
- Collection Management Service: Enables clients to discover the various collections of threat intelligence available from a server.
- Polling Service: The primary mechanism for clients to request and retrieve threat intelligence from a server's collections.
- Push Service (Deprecated in favour of Poll): Although less common in current implementations, some older versions allowed servers to push intelligence to clients.
The beauty of TAXII lies in its ability to enable both push and pull models (though polling is dominant), allowing for flexible deployment scenarios where threat intelligence can be actively sent to subscribers or retrieved on demand. This flexibility ensures that organisations can integrate threat intelligence into their existing security workflows seamlessly.
The Synergy: How STIX and TAXII Work Together
The true power of cyber threat intelligence is unleashed when STIX and TAXII are used in conjunction. STIX defines what the threat intelligence is, providing its structure and meaning, while TAXII defines how that intelligence is delivered and exchanged. They are two halves of a complete, powerful solution for CTI sharing.
Consider a practical scenario: An Information Sharing and Analysis Center (ISAC) identifies a new phishing campaign targeting a specific industry sector. Using STIX, the ISAC describes every pertinent detail of this threat: the malicious URLs, the sender email addresses, the tactics used (e.g., spear phishing, credential harvesting), and the observed victimology. This detailed, structured information is then packaged into a STIX message.
Next, using TAXII, the ISAC acts as a threat intelligence provider, making this STIX-formatted intelligence available through its TAXII server. Member companies of the ISAC, acting as TAXII clients, then connect to this server. They might poll specific collections relevant to their industry or particular threat types. Once retrieved, this STIX intelligence can then be fed into their internal security devices – such as Security Information and Event Management (SIEM) systems, Intrusion Detection/Prevention Systems (IDS/IPS), or Endpoint Detection and Response (EDR) solutions. Some organisations might first ingest it into a dedicated threat intelligence platform for further enrichment and analysis before dissemination to their security tools. This entire process, from threat discovery to defensive action, can be largely automated, significantly reducing response times and enhancing overall security posture.
Benefits of the STIX/TAXII Framework
The combined force of STIX and TAXII offers a multitude of benefits for organisations seeking to bolster their cyber defences:
- Enhanced Automation: Automates the exchange of threat intelligence, eliminating manual processes and allowing security teams to focus on analysis and response.
- Improved Interoperability: Provides a common language and transport mechanism, enabling different security products and organisations to share and understand threat data seamlessly.
- Faster Response Times: Rapid dissemination of intelligence means security devices can be updated almost instantly, allowing for quicker detection and blocking of new threats.
- Collaborative Defence: Facilitates collective defence by enabling secure and efficient sharing of intelligence between trusted parties, such as ISACs, government agencies, and industry partners.
- Reduced Costs: By automating intelligence ingestion, it reduces the need for extensive manual analysis and integration efforts, freeing up valuable human resources.
- Richer Context: STIX's structured nature ensures that intelligence is shared with rich context, explaining not just 'what' an indicator is, but also 'who' is behind it, 'how' they operate, and 'why' it's relevant.
Implementing STIX/TAXII: Getting Started
For organisations looking to leverage STIX/TAXII, the implementation typically involves configuring a TAXII client to connect to a TAXII server. Many commercial and open-source threat intelligence platforms and security tools now offer native STIX/TAXII integration.
A typical setup involves:
- Identifying a TAXII Feed: This could be a public feed, a commercial intelligence provider, an ISAC, or an internal organisational server.
- Obtaining Connection Details: This usually includes a Discovery URL, and sometimes a username and password (API key).
- Configuring Your TAXII Client: Inputting the connection details into your chosen client application.
- Selecting Collections: Choosing which specific threat intelligence collections you wish to subscribe to.
- Defining Polling Frequency: Setting how often your client should check for new intelligence.
It's important to note that while the specifications for STIX and TAXII are robust, the actual client implementations can vary. For instance, some clients might poll for updates every minute, while others might do so every hour. This variation necessitates testing and configuration to ensure optimal performance and timely intelligence updates for your specific environment.
Case Study: AlienVault OTX as a STIX/TAXII Hub
AlienVault Open Threat Exchange (OTX) exemplifies a practical application of STIX/TAXII. OTX has evolved to function as both a STIX/TAXII feed (server) and a platform, allowing users to consume threat intelligence and even deliver their own private intelligence.
To consume the OTX STIX/TAXII feed, users need to configure their TAXII client with specific details:
- Discovery URL:
https://otx.alienvault.com/taxii/discovery - Username: Your OTX API key
- Password: (Blank)
Once connected, users can explore available services and collections. Tools like 'cabby' (a Python TAXII client) can be used for testing and exploration:
taxii-discovery: Reveals services offered by the OTX TAXII endpoint.taxii-collections: Lists available threat intelligence collections, which can vary based on user access and API key.taxii-poll: Retrieves threat intelligence from a specific collection, allowing users to fetch updates from a certain date and time.
Beyond consumption, OTX also empowers users to deliver their own intelligence. Through OTX's group functionality, organisations can store threat intelligence privately and share it with specified individuals or entities. This private intelligence can then be delivered via STIX/TAXII to their own internal security devices or, for service providers, to their customers. This demonstrates the versatility of STIX/TAXII not just for receiving public feeds but also for internal and private intelligence sharing.
Another Example: Anomali Limo Service
Anomali's 'Limo' service offers another compelling example of a free, accessible TAXII service. Drawing an analogy to a luxurious ride, Limo aims to provide a smooth and high-quality experience for navigating the complex threat landscape. It's built on a variety of threat intelligence feeds, harvested from sources such as Anomali Labs research, their Modern Honey Net, and various open-source feeds.
Crucially, Anomali's Limo service is fully STIX/TAXII compliant. This ensures that the intelligence provided is easily digestible by any compliant TAXII client, making it straightforward to collect and integrate into existing security infrastructures. The feeds are regularly updated, ensuring users receive the most relevant and current threat information.
Unlike a real limousine service, Anomali Limo is entirely free and highly accessible. For users of Anomali STAXX, Limo is preconfigured, allowing for immediate access to its intelligence feeds. For those using other TAXII clients, configuring access is simple:
- Point your client to the discovery service URL:
https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/ - Use
guestas the username andguestas the password.
This commitment to free, accessible, and compliant threat intelligence highlights the growing recognition of STIX/TAXII as a vital component in democratising cyber defence capabilities.
Challenges and Considerations
While STIX/TAXII offers immense advantages, there are some considerations:
- Client Implementation Variability: As noted, there's a lack of absolute standardisation in how TAXII clients implement certain features, particularly polling frequency. This requires careful testing and configuration.
- Data Volume: As threat intelligence feeds can be voluminous, organisations need adequate infrastructure to store and process the incoming data efficiently.
- Integration Complexity: While STIX/TAXII standardises the exchange, integrating the consumed intelligence into diverse security tools (SIEM, EDR, firewalls) still requires careful mapping and configuration specific to each product.
- Contextual Relevance: Simply consuming raw intelligence isn't enough. Organisations must have the capacity to filter, prioritise, and contextualise the intelligence to make it truly actionable for their specific environment.
Conceptual Comparison: Manual vs. STIX/TAXII Threat Intelligence Exchange
| Feature | Manual Threat Intelligence Exchange | STIX/TAXII Threat Intelligence Exchange |
|---|---|---|
| Format | Varied (PDF reports, emails, spreadsheets, unstructured text) | Standardised (STIX XML/JSON) |
| Exchange Method | Email, file transfer, web downloads | Automated via TAXII HTTP(S) protocol |
| Speed of Dissemination | Slow, reliant on human intervention | Rapid, near real-time automation |
| Interoperability | Low, requires manual parsing/translation | High, machine-readable and parsable |
| Scalability | Limited, resource-intensive for large volumes | High, designed for large-scale exchange |
| Context | Can be lost or inconsistent | Rich, structured context maintained |
| Human Effort | High for processing and integration | Low for processing, higher for initial setup |
| Error Rate | Higher due to manual handling | Lower due to automation and standardisation |
Frequently Asked Questions About STIX/TAXII
Q: Why is STIX/TAXII important for modern cyber defence?
A: STIX/TAXII is crucial because it provides a standardised, automated, and efficient way to share cyber threat intelligence. In a rapidly evolving threat landscape, manual intelligence sharing is too slow and prone to errors. STIX/TAXII enables organisations to receive timely, machine-readable threat data directly into their security systems, facilitating faster detection, analysis, and response to emerging threats.
Q: Can I use STIX without TAXII?
A: Yes, it is possible to use STIX without TAXII. STIX is fundamentally a data format, and STIX-formatted intelligence can be shared through other means, such as email attachments, file transfers, or even within other platforms. However, TAXII is specifically designed as the optimal transport mechanism for STIX, providing automated, secure, and scalable exchange capabilities that other methods often lack.
Q: What kind of information can be shared via STIX/TAXII?
A: STIX/TAXII can be used to share a wide array of cyber threat information. This includes, but is not limited to, Indicators of Compromise (IoCs) like malicious IP addresses and file hashes, descriptions of attack patterns (TTPs), details about threat actors and campaigns, incident reports, and recommended courses of action for mitigation and response.
Q: Is it difficult to set up STIX/TAXII?
A: The initial setup of a STIX/TAXII client to consume public feeds can be relatively straightforward, especially with modern security products that offer native integration. Setting up a STIX/TAXII server or integrating complex intelligence flows into diverse security tools can require more technical expertise. However, the long-term benefits of automation typically outweigh the initial setup effort.
Q: Are there free resources or feeds available for STIX/TAXII?
A: Yes, there are several free resources and public feeds available. Examples include AlienVault OTX (as discussed in the article), Anomali Limo, and various government or community-driven threat intelligence sharing initiatives. These free resources are excellent starting points for organisations looking to explore the benefits of STIX/TAXII without significant investment.
Q: What are the benefits of STIX/TAXII for smaller organisations?
A: For smaller organisations, STIX/TAXII can be particularly beneficial. It allows them to leverage threat intelligence that might otherwise be out of reach due to limited resources for manual collection and analysis. By subscribing to automated STIX/TAXII feeds, even small teams can gain access to high-quality, up-to-date threat indicators, significantly improving their defensive capabilities without needing extensive in-house expertise or large budgets.
Conclusion
STIX and TAXII represent a monumental leap forward in the realm of cyber threat intelligence. By providing a common language and an automated delivery mechanism, they transform the often chaotic and manual process of intelligence sharing into a streamlined, efficient, and highly effective operation. For organisations of all sizes, embracing STIX and TAXII is no longer just an advantage; it's becoming a fundamental requirement for building a resilient and proactive cyber defence posture in the face of ever-increasing digital threats. The ability to seamlessly share and consume cyber threat intelligence is the cornerstone of collective security, and STIX/TAXII is the essential framework making that possible.
If you want to read more articles similar to STIX/TAXII: Unveiling Cyber Threat Intelligence, you can visit the Taxis category.