What are they?
STIX/TAXII are community-driven standards and protocols for sharing cyber threat intelligence. Technically speaking, STIX and TAXII are not sharing programs, tools, or software, but rather components and standards that support them. STIX states the what of threat intelligence, while TAXII defines how that information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable and therefore easily automated. Both possess an active community of developers and analysts.
STIX/TAXII specifically aims to improve security measures in a few ways:
- Extend the capabilities of current threat intelligence sharing
- Turn focus of security outward rather than inward
- Balance response with proactive detection
- Encourage a holistic approach to threat intelligence
Where did they come from?
These standards were developed by the MITRE Corporation and the Department of Homeland Security (DHS). As of 2015, both STIX and TAXII were transitioned to the OASIS Cyber Threat Intelligence (CTI) TC, which is recognized internationally as a non-profit consortium that drives the development, convergence, and adoption of open source standards for the Internet. The DHS continues to play an active role within the development of STIX/TAXII, but concentrates its efforts on promoting worldwide adoption of these standards.
How are they used?
STIX/TAXII supports a variety of use cases regarding cyber threat management, including analyzing cyber threats, specifying indicator patterns, and managing and sharing cyber threat information. Wide adoption of STIX/TAXII has been seen by governments and Information Sharing and Analysis Centers (ISACs), which range in focus from industry to geolocation.
Sharing Categorized Information - Organizations can push and pull information into categories. For example, if one industry experiences a targeted phishing attack, they can share that information within the phishing category of the ISAC. Other organizations can automatically ingest that intelligence and bolster their own defenses.
Sharing with Groups - Organizations with a TAXII client can push and pull information into the TAXII servers of trusted sharing groups. Some organizations may have access to private groups within these ISACs that provide more detailed information.
Can I use STIX/TAXII?
There are many ways to get involved with STIX/TAXII. If you’d like to engage with the community and contribute to creation efforts, you can join the OASIS TC. If you’d like to learn more about STIX/TAXII, here are some additional resources:
- Detailed description of STIX 2.0 (Google Doc)
- Information on the differences between STIX 1.x/CybOX 2.x and STIX 2.0 (GitHub)
- TAXII Discussion and Announcement mailing lists
- Python library for managing TAXII messages and services (GitHub)
- Proof of concept TAXII server Yeti (GitHub)
- Access open source feeds via Hailataxii
What Tools Can You Use with STIX/TAXII?
Anomali provides a utility called STAXX that allows you to easily subscribe to any STIX/TAXII feed for free. To start you simply:
- Download the STAXX client
- Configure your data sources
- Set up your download schedule
Signing up for an account on the STAXX portal allows users to link from an Indicator of Compromise (IOC) to information that identifies threat Actors, Campaigns, and TTPs. Users can also access additional Anomali threat intelligence feeds, and preview features of Anomali’s Threat Intelligence Platform, ThreatStream.