We don’t always concern ourselves with how cyber-security applications work internally. TAXII (Trusted Automated eXchange of Indicator Information) is a new threat data format convention one must understand in order to harness. TAXII isn’t an application for sharing threat intelligence. It’s a standard language of cyber threat information. Indicators of compromise are coded into a machine-readable language which can be universally shared between different applications, even if they are produced by different developers.
Your TAXII server is built on standardized feeds of information but it’s not a one-size-fits-all tool. Users still have control over which aspects of their traffic logs they wish to contribute to the zeitgeist. There is a growing awareness of the need to share threat intelligence among the finance, retail, military, healthcare, and government agencies which are inundated with threats.
Since much of the hacking affecting the US today is sponsored by foreign governments, the DHS has issued a statement suggesting businesses put aside their differences and work together to identify and stop cyber criminals. Remitting this data through a TAXII server makes threats found in your traffic logs usable to other would-be victims without revealing whose network was affected. Before this initiative, the prevalent method to report cyber-threats was to e-mail the DHS a report of the incident. Collecting useful intelligence was very labor intensive before this standard was introduced. From this standardization, TAXII renders four main deliverables:
- Discovery - Learning how to interact with services
- Collection management – Discovering and requesting access to data collections
- Poll messaging – Sending out a message requesting specific content
- Inbox – Receiving content directly
Participation in this exchange gives you greater protection, but with that come some responsibilities. When sharing threat intelligence through a TAXII server, you must adhere to some guidelines. These guidelines are in place to ensure anonymity about victims or other individuals not responsible for the threat. Naming individuals or failing to remove other identifying details jeopardizes your protection from liability. If any significant portion of your traffic is from Europe, consider looking into EU regulations regarding using a TAXII server. The rules are much stricter and if violated, they can levy a fine up to €20 million or 4% of your global profits.
Ordered data is known as a Data Feed whereas unordered data is a Data Set. When sharing threat intelligence to a TAXII server, there are different models for the direction of information flow:
- Hub and Spoke – Data flows to and from one central bank
- Peer to Peer – Users share intel with others at their discretion
- Source and Subscriber – Users rely on intelligence from one central source
Using one standard format to send and request threat data is a big step for the threat intelligence community. Strongly consider arming your IT security team with the tools to send and receive very specific threat feeds through a TAXII server.
To learn more about using standards like TAXII to protect your data, download our white paper.