STIX/TAXII: All Your Questions Answered

Marketplace Offerings

Threat Intelligence Feeds

Trial and purchase threat intelligence feeds from Anomali partners – find the right intelligence for your organization, industry, geography, threat type, and more.

Threat Analysis Tools & Enrichments

Gain the tools to pivot quickly from one piece of information to look up other sources of data to get a complete picture of a threat – all one click away.

Security System Partners

Anomali seamlessly integrates with many Security and IT systems to operationalize threat intelligence.

What are they?

STIX/TAXII are community-driven standards and protocols for sharing cyber threat intelligence. Technically speaking, STIX and TAXII are not sharing programs, tools, or software, but rather components and standards that support them. STIX states the what of threat intelligence, while TAXII defines how that information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable and therefore easily automated. Both possess an active community of developers and analysts.

STIX/TAXII specifically aims to improve security measures in a few ways:

Extend the capabilities of current threat intelligence sharing
Turn focus of security outward rather than inward
Balance response with proactive detection
Encourage a holistic approach to threat intelligence

Where did they come from?

These standards were developed by the MITRE Corporation and the Department of Homeland Security (DHS). As of 2015, both STIX and TAXII were transitioned to the OASIS Cyber Threat Intelligence (CTI) TC, which is recognized internationally as a non-profit consortium that drives the development, convergence, and adoption of open source standards for the Internet. The DHS continues to play an active role within the development of STIX/TAXII, but concentrates its efforts on promoting worldwide adoption of these standards.

How are they used?

STIX/TAXII supports a variety of use cases regarding cyber threat management, including analyzing cyber threats, specifying indicator patterns, and managing and sharing cyber threat information. Wide adoption of STIX/TAXII has been seen by governments and Information Sharing and Analysis Centers (ISACs), which range in focus from industry to geolocation.

Sharing Categorized Information - Organizations can push and pull information into categories. For example, if one industry experiences a targeted phishing attack, they can share that information within the phishing category of the ISAC. Other organizations can automatically ingest that intelligence and bolster their own defenses.

ISAC TAXII server

Sharing with Groups - Organizations with a TAXII client can push and pull information into the TAXII servers of trusted sharing groups. Some organizations may have access to private groups within these ISACs that provide more detailed information.

ISAC TAXII server

Can I use STIX/TAXII?

There are many ways to get involved with STIX/TAXII. If you’d like to engage with the community and contribute to creation efforts, you can join the OASIS TC. If you’d like to learn more about STIX/TAXII, here are some additional resources:

STIX/TAXII Overviews

STIX

Detailed description of STIX 2.0 (Google Doc)
Information on the differences between STIX 1.x/CybOX 2.x and STIX 2.0 (GitHub)

TAXII

What Tools Can You Use with STIX/TAXII?

Anomali provides a utility called STAXX that allows you to easily subscribe to any STIX/TAXII feed for free. To start you simply:

Download the STAXX client
Configure your data sources
Set up your download schedule

Signing up for an account on the STAXX portal allows users to link from an Indicator of Compromise (IOC) to information that identifies threat Actors, Campaigns, and TTPs. Users can also access additional Anomali threat intelligence feeds, and preview features of Anomali’s Threat Intelligence Platform, ThreatStream.