A TAXII server is a client that exchanges standardized and anonymized cyber threat intelligence among users. It works as a venue for sharing and collecting Indicators of compromise, which have been anonymized to protect privacy. It’s not just IoCs, which can be shared via a TAXII server. It is possible to compare intel about malware, too. Any activity in your traffic log that has been established as suspicious can be recorded and shared to benefit others.
First, the record must be translated into a universal format. This allows users of different proprietary programs to use one another’s intelligence easily. Then it is transmuted through the TAXII server via HTTP based requests and responses known as services.
Services handle collections of data, which can be shared from or added to your library. Each collection is individually labeled. Data feeds are ordered collections; whereas a data set is an unordered collection. Using these main services, users can send and answer queries about threats. The platform can be searched by properties like IP or DNS, time of event, or name.
The four basic services are:
- Discovery – the primary service to locate relevant offerings
- Data collection management for subscriptions or stand-alone queries
- Inbox – means by which the client pushes information to your server
- Poll – function which requests info from the server
Servers and clients are defined by their role in the exchange of information, not by their makeup. There are many exchange models by which information producers and consumers can use a TAXII server. A threat feed is a one-way channel of intelligence that flows from an intelligence-gathering agency to its users. The configuration will vary depending on whether the host wishes to open the flow up to the public or make it subscriber-only. Threat feeds, which allow for user contributions are a two-way channel. Some organizations decide to share threat feeds in real time, but decide it’s not feasible to log 80,000 events per second in a database.
There are many possibilities for uses beyond a two-party exchange. If there is enough information to detect patterns, users can benefit from other forms of data besides stand-alone IoCs. A central body can analyze threats on a bigger scale to discover overarching trends. One example of the hub model is a map showing density of threat actors by IP location. Another use for crowdsourcing data is to identify misinformation. Marking peers as trustworthy helps to isolate users who spread inaccurate data to pollute the pool of threat intelligence.
All of the examples of ways to use a TAXII server are too many to name. Your actual use scenarios will depend on your needs, your peers, and the amount of threats you encounter. Read more about actual threat intelligence users in our survey, Market Focus: Employing Cyber Threat Intelligence.
FEATURED RESOURCES
Anomali Cyber Watch: Notepad++ Attack, RAT Uses Hugging Face, Microsoft Office Flaw and more
