STIX and TAXII are standards developed in an effort to improve prevention and mitigation of cyber-attacks. STIX states the what of threat intelligence, while TAXII defines how that information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable and therefore easily automated.
STIX/TAXII aims to improve security measures in a few ways:
The establishment of STIX/TAXII is an open, community-driven effort that provides free specifications to aid in the automated expression of cyber threat information. Both possess an active community of developers and analysts.
STIX, short for Structured Threat Information eXpression, is a standardized language developed by MITRE and the OASIS Cyber Threat Intelligence (CTI) Technical Committee for describing cyber threat information. It has been adopted as an international standard by various intelligence sharing communities and organizations. It is designed to be shared via TAXII, but can be shared by other means. STIX is structured in such a fashion that users can describe threat:
TAXII, short for Trusted Automated eXchange of Intelligence Information, defines how cyber threat information can be shared via services and message exchanges. It is designed specifically to support STIX information, which it does by defining an API that aligns with common sharing models. The three principal models for TAXII include:
TAXII defines four services. Users can select and implement as many as they require, and combine them for different sharing models.
STIX/TAXII supports a variety of use cases regarding cyber threat management. STIX/TAXII has been widely adopted by governments and Information Sharing and Analysis Centers (ISACs), which range in focus from industry to geolocation.
Organizations can push and pull information into categories. For example, if one industry experiences a targeted phishing attack, they can share that information within the phishing category of the ISAC. Other organizations can automatically ingest that intelligence and bolster their own defenses.
Organizations with a TAXII client can push and pull information into the TAXII servers of trusted sharing groups. Some organizations may have access to private groups within these ISACs that provide more detailed information.
Anomali provides a utility called STAXX that allows you to easily subscribe to any STIX/TAXII feed and push out indicators via STIX/TAXII for free. To start you simply:
Signing up for an account on the STAXX portal allows users to link from an Indicator of Compromise (IOC) to information that identifies threat Actors, Campaigns, and TTPs. STAXX is also pre-setup with a feed, Limo. Users can also access additional Anomali threat intelligence feeds, and preview features of Anomali’s Threat Intelligence Platform, ThreatStream.
There are many ways to get involved with STIX/TAXII. If you’d like to engage with the community and contribute to creation efforts, you can join a committee within the OASIS TC. If you’d like to learn more about STIX/TAXII, here are some additional resources: