„Sharing is caring” with STIX/TAXII – the communication standard and the way to share it
If not for generally accepted standard of the english language in international cooperation, the communication would be much more difficult. Same applies to cybersecurity – organizations associating specialists in this field have long noticed the lack of a generally accepted communication standard. STIX was created as a response to that issue.
STIX stands for Structured Threat Information eXpression, a standardized language developed by MITRE and OASIS (Organization for the Advancement of Structured Information Standards). Cyber Threat Intelligence (CTI) for describing information about cyber threats. It has been adopted as an international standard by various communities and organizations involved in the exchange of data in the field of IT security.
STIX is structured in such a way that users can describe the threat by:
- Attacker motivations.
- The ability that the threat has.
- His possibilities.
- Reactions to an incident caused by this threat.
STIX is a way of expressing information about computer threats in a structured and unambiguous manner. Based on JSON, it has the potential to allow automatic exchange of information between the many tools used to ensure the security of the organization.
STIX defines two categories of objects
STIX Domain Objects (SDO):
- Attack pattern: An approach taken by one (or more) malicious actors to compromise a target.
- Campaign: A collection of hostile activities that describes a set of malicious actions or attacks targeting a specific group of victims over a specific period of time.
- Course-of-Action: Action taken to avoid or respond to an attack.
- Identity: People, organizations, or groups, and classes of people, organizations, or groups.
- Indicator: Contains a STIX pattern designed to detect malicious or suspicious activity.
- Intrusion-set: a set of assets and hostile behavior that you suspect are specific to a particular threat actor. Unlike a campaign, it is not specific to a set of goals or a period.
- Malware: Malware, also known as malicious code or malware, which aims to breach the confidentiality, integrity and/or availability of a victim’s data/systems.
- Observed-data: Represents information observed on a system or network (e.g. IP address, file,) as a STIX Cyber Observables set.
- Report: gathering information about STIX, SDO and SRO threats that cover one or more topics such as malicious actor description, malware, or intrusion technique, including contextual information. May refer to the report in the classic sense of the term via the external_references property.
- Threat Actor: Individuals, groups, or organizations suspected of malicious activity. Unlike an identity that defines clearly identified actors, an actor – threat usually refers to malicious actors under a pseudonym. If identified, the SDO threatener will be associated with the SDO identity through an SRO relationship with rel_type: assigned to. First of all, it allows you to define certain elements, such as the level of resources (resource_level), competences (refinement) or motivations (basic motivation, secondary motivations and personal_motivations).
- Tool: Legal software that may have malicious use (eg RDP, Nmap…).
- Vulnerability: a software bug the use of which could allow illegal access to a system or network.
There are 3 more SDOs on the way: opinion, note, location.
STIX Relationship Objects (SRO):
- Relationship – SRO is used to connect two SDOs and describe their relations.
- Sighting – expresses a suspicion that a CTI (Cyber Threat Intelligence) element (e.g. indicator, malware) has been noticed. Unlike a related SRO, it can be associated with one or more SDOs.
For the sake of simplicity, SDOs can be viewed as graph nodes connected to each other through the SRO.
Developing a common data representation is not the end. What was needed was a way of sharing them. And so STIX was supplemented with TAXII. TAXII – Trusted Automated eXchange of Intelligence Information, defines how information on cyber threats can be made available through services and message exchange.
TAXII is a protocol for data exchange over HTTPS which was designed specifically to handle STIX information. It does this by – defining a set of requirements for clients/servers and using REST API to interact with two types of services:
- Collection: An interface to the server-provided object repository that allows the producer to serve consumers in the Request-response template.
- Channel: enables information exchange according to the publish-subscribe model.
Users can select and deploy as many as they need and combine them for different sharing models.
The three main TAXII models include:
- Hub-and-spoke – one repository of information.
- Source/subscriber – one source of information.
- Peer-to-peer – Many groups share information with each other.
STIX/TAXII supports a variety of use cases for managing cyber threats. It has been widely deployed by governments and Information Sharing and Analysis Center (ISAC) that focus on different industries and operate at different geographic planes.
The two main ones are:
- Providing categorized information
Organizations can contribute and extract information in categories. For example, if one industry experiences a targeted phishing attack, it may share this information under the phishing category of ISAC. Other organizations can automatically absorb this information and strengthen their own defenses.
- Group sharing
Organizations with a TAXII client can push and download information to TAXII servers of trusted sharing groups. Some organizations may have access to private groups within these ISACs that provide more detailed information.
In both cases, the central repository hosted in a given ISAC analytical agency is TAXII Server, and each of the client organizations has a TAXII Client.
Using STIX/TAXII allows users to define Indicators-of-Compromise (IOC) and link them to the actors, tactics, techniques and procedures identified in MITRE’s activities. In order to hinder attackers’ actions, information exchange on cyber threats must take place in a large community according to clear standards that facilitate the automation of data transfer. STIX/TAXII takes this as a starting point and therefore its adoption can significantly improve the level of security of the organization.