Understanding TAXII for Cyber Threat Sharing

In the ever-evolving landscape of cybersecurity, the ability to swiftly and effectively share information about emerging threats is paramount. Security Threat Intelligence Standards, particularly STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information), play a crucial role in enabling Security Operations Centres (SOCs) to maintain uninterrupted operations through a collaborative and unified strategy against cyber-attacks. Organisations like MITRE are at the forefront of this effort, working with industry and government bodies to establish common cybersecurity approaches. This includes providing registries for baseline security data, developing standardised languages for accurate communication of threat information, and defining best practices for their utilisation. A notable early contribution from MITRE in this domain was the Common Vulnerabilities and Exposures (CVE®), which established a standard for naming vulnerabilities, allowing for seamless integration and linking across security devices, programs, and entities. This interoperability is evidenced by its adoption in over 100 products and services from more than 75 vendors.

The Pillars of Cyber Threat Intelligence: STIX and TAXII

MITRE's ongoing commitment to enhancing cyber defence is evident in its current work on two foundational projects for exchanging cyber threat information: TAXII and STIX. These initiatives, funded by the United States Department of Homeland Security, are designed to create a more robust and coordinated defence against cyber threats.

What is STIX?

STIX, developed by MITRE in collaboration with the OASIS Cyber Threat Intelligence (CTI) Technical Committee, is an internationally recognised language and serialization format. It is specifically designed to describe cyber threat information, making it an indispensable tool for intelligence exchange groups and organisations. The STIX 2.1 standard introduced STIX Domain Objects (SDOs), an object-based methodology for organising threat data. This approach simplifies the process of extracting the necessary details for network security assessments. These SDOs are further connected through STIX Relationship Objects (SROs), which clarify the connections between different objects, thereby providing a comprehensive view of a threat. Currently, there are 18 distinct STIX objects available, each designed to identify specific types of threat data. These objects can be grouped or linked to illustrate various relationships, aiding in the precise classification of threats.

Key STIX Objects:

• Attack Pattern: Describes the methods attackers employ to breach targets.
• Campaign: Encompasses a series of malicious actions taken over time against specific targets.
• Course of Action: Recommendations for steps to take in response to threat intelligence.
• Grouping: Asserts that referenced STIX Objects share a common context.
• Identity: Represents people, organisations, programmes, or groups.
• Indicator: Contains patterns used to detect malicious cyber activity.
• Infrastructure: Defines the physical or virtual resources used in attacks (e.g., C2 servers).
• Intrusion Set: Groups adversarial activities and services believed to be coordinated by a single entity.
• Location: Specifies a geographic location.
• Malware: Represents malicious code.
• Malware Analysis: Metadata and effects derived from analysing malware.
• Note: Provides additional descriptive text for context.
• Observed Data: Conveys information about cybersecurity-related entities using STIX Cyber-observable Objects (SCOs).
• Opinion: An assessment of the accuracy of knowledge within a STIX Object.
• Report: A collection of security intelligence on specific areas, such as threat actors or attack strategies.
• Threat Actor: Identifies individuals, organisations, or entities suspected of malicious actions.
• Tool: Legitimate tools leveraged by threat groups for attacks.
• Vulnerability: A flaw in software that can be exploited by attackers.

STIX Relationship Objects (SROs):

• Relationship: Defines how two SDOs or SCOs are connected.
• Sighting: Indicates that a specific piece of CTI has been identified (e.g., an indicator, malware, threat actor).

What is TAXII?

TAXII, or the Trusted Automated Sharing of Intelligence Information, is a framework that governs the secure sharing of cyber-threat data. It operates over HTTPS, facilitating the exchange of intelligence through messages and services. TAXII is designed to provide comprehensive support for STIX content, acting as the transport mechanism for the structured threat data defined by STIX. While STIX defines the 'what' of threat intelligence, TAXII defines the 'how' of sharing it.

Key TAXII Sharing Models:

TAXII supports several flexible models for information exchange:

• Peer to Peer: In this model, two or more organisations directly communicate and exchange information. This can be an ad hoc arrangement, where information is shared on an as-needed basis without prior coordination.
• Hub and Spoke: Here, one organisation acts as a central repository (the hub) for information, while other organisations (the spokes) facilitate its exchange. The hub can create and/or consume information from the spokes.
• Source/Subscriber: This model features a single organisation that serves as the primary source of information, distributing it to various subscribers.

Primary TAXII Services:

To facilitate these sharing models, TAXII defines two primary services:

• Collection: This is an interface provided by a TAXII Server for a logical registry of CTI objects. Producers host a wide range of data that TAXII Clients and Servers can request, typically through a request-response model.
• Channel: This service enables producers to push data to a large number of consumers. Consumers, in turn, collect data from multiple producers via a publish-subscribe model, where TAXII Clients share information with other TAXII Clients, all managed by a TAXII Server. (Note: While 'Channel' keywords are reserved in TAXII 2.1, their specific resources are yet to be fully defined).

Collections and Channels can be configured in various ways and grouped to suit the requirements of specific trust groups. A TAXII server instance can support one or more API Roots, which are logical categories of TAXII Channels and Collections. These API Roots act as instances of the TAXII API, accessible via distinct URLs, with each serving as the foundational URL for that specific TAXII API instance.

TAXII leverages existing protocols, primarily within networks using DNS Service logs. It relies on HTTPS for all connectivity and uses HTTP for content negotiation and authentication. While STIX content was originally developed for TAXII, future implementations are expected to fully support STIX 2.1. It's important to note that TAXII can be used to exchange data in formats other than STIX, and STIX and TAXII are distinct standards with separate architectures and serializations.

TAXII's architectural design principles focus on minimising organisational transition for implementation, enabling rapid alignment with existing sharing arrangements, and supporting all common threat-sharing models, including hub-and-spoke, peer-to-peer, and source-subscriber.

The Importance of STIX and TAXII in Cybersecurity

STIX and TAXII were developed to significantly enhance the detection and protection against cyber-attacks. Their machine-readable nature allows for easy standardisation, a marked improvement over previous, less structured methods of information sharing. Together, they strengthen security measures by:

• Enhancing existing threat intelligence sharing capabilities.
• Facilitating a balanced approach between proactive and reactive threat detection.
• Promoting a comprehensive strategy for threat intelligence management.

STIX/TAXII represents a transparent, community-driven initiative that provides free requirements to facilitate the automated expression of cyber threat information. This collaborative approach is crucial for building resilient defences.

Use Cases for STIX and TAXII

STIX and TAXII support a wide array of cyber threat management use cases and have been adopted by numerous government bodies and Information Sharing & Analysis Centres (ISACs). Their applications span various sectors and geographical focuses.

Sharing Categorised Information:

Organisations can efficiently push and pull information into specific categories. For instance, if an industry sector experiences a phishing attack, this intelligence can be shared within a 'phishing' category in an ISAC. Other organisations can then directly utilise this information to bolster their own defence systems, demonstrating the power of collective awareness and action.

Sharing within Groups:

Organisations affiliated with TAXII clients can share data by pushing and pulling it into TAXII servers within their trusted sharing groups. Certain groups within ISACs may have access to private channels, allowing them to receive more granular and detailed threat intelligence, fostering deeper collaboration and more targeted defence strategies.

In essence, STIX provides the standardised language for describing threats, while TAXII provides the secure and automated transport mechanism for sharing this intelligence. Together, they form a powerful framework for collaborative defence, enabling organisations to stay ahead of the ever-present cyber threat landscape.

Frequently Asked Questions (FAQs):

What is the primary purpose of TAXII?

The primary purpose of TAXII is to provide a secure and automated way to exchange cyber threat intelligence (CTI) between different organisations and systems.

How does STIX relate to TAXII?

STIX defines the standardised format for expressing cyber threat intelligence (the 'what'), while TAXII defines the transport protocols and services for sharing that intelligence (the 'how'). They are complementary standards.

Can TAXII share information that isn't in STIX format?

Yes, while TAXII was initially developed to support STIX, it can be used to exchange data in other formats.

What are the main benefits of using STIX and TAXII?

The main benefits include improved threat detection and response, enhanced collaboration, standardised information sharing, and a more proactive security posture.

Who developed STIX and TAXII?

STIX and TAXII were developed by MITRE, with STIX also involving the OASIS Cyber Threat Intelligence (CTI) Technical Committee. Funding has been provided by organisations like the US Department of Homeland Security.

What are the different sharing models supported by TAXII?

TAXII supports Peer-to-Peer, Hub-and-Spoke, and Source/Subscriber sharing models.

What are the two primary services provided by TAXII?

The two primary services are Collections (for request-response data retrieval) and Channels (for publish-subscribe data distribution).