THREAT INTELLIGENCE with STIX/TAXII
What is Threat Intelligence?
Threat intelligence is data that is collected, processed and analyzed to understand a threat actor’s motives and attack behaviors. It is knowledge, skill & experience-based information of both cyber and physical threats and threat actors, which could help with mitigation potential attacks in cyberspace.
STIX & TAXII were developed to improve cyber threat detection and mitigation. It is open source & community driven. STIX stipulates the details of threat, while TAXII decides the flow of that information. Both are machine readable & can be automated easily.
More at “Cyber Threat Intelligence Technical Committee (oasis-open.github.io)”
STIX – Structured Threat Information eXpression
STIX is an open-source standardized language based on JSON (JavaScript Object Notation); the previous version STIX 1.1 used to be XML (eXtensible Markup Language) which was developed by MITRE in order to represent structured information about cyber threats. It is developed to share and collaborate with communities and partners which create cyber intelligence communities.
STIX is readable, automatable and flexible. It provides balance response with proactive detection & comprehensive approach to threat intelligence.
STIX can be used to identify indicators, Tactics, Techniques, & Procedures (TTPs) and other aspects of cyber threats.
Data related to cyber threats can contain sensitive information which should only be shared using a secure protocol, this is where TAXII comes in.
TAXII — Trusted Automated eXchange of Intelligence Information
TAXII is an application layer protocol for exchanging cyber threat intelligence via HTTPS. TAXII acts as a transport vehicle for STIX. Developers can build TAXII servers and TAXII clients which can communicate via request-response protocol.
There are 3 sharing models of TAXII
Hub and Spoke: One central clearinghouse
Source/Subscriber: One organization is the single source of information
Peer-to-Peer: Multiple organizations share their information
TAXII can accommodate a wide array of sharing models & enterprises can include services that are more suited for their sharing model. TAXII supports both push and pull messaging in all models. Data producers can choose whether data consumers can pull data from producer, whether data is pushed from the producer or if combination of two methods are supported.
One can actively defend against attacks with the shared broad view of intelligence base. However, in case of STIX & TAXII, one can only gain numerous benefits when large number of organizations share Threat Intel with each other.
