For many years, cybersecurity companies have invested in building sensor networks and detection capabilities to build a greater understanding of adversaries’ tactics, ever-changing techniques, and the threats posed to the world’s internet community. 

Whether it's a consumer using their phone in an airport, a remote worker sitting at home connecting to their business, or larger organizations protecting many thousands of assets, security companies all require data on those activities.

One of the critical foundations of protecting all uses of the internet is for the security defenders to better understand what malicious activities look like and how to stop them. With that backstory of gaining greater insight, many security companies must not only understand their own data but also learn and share with others doing the same. By building an ecosystem of data and intelligence sharing across the security industry, all participants can help each other more effectively. But to do so, standards in both data sharing and how that data is shared are fundamental building blocks to that objective. Let’s take a closer look under the covers at these foundations and how it benefits all of us.  

An introduction to STIX and TAXII

Automating the sharing of threat intelligence wouldn’t be possible without a well-defined API that can set up a structured data transfer. That was the reason why the Structured Threat Information Expression (STIX) language and interfaces were created back in 2010 and are now at v2.1. STIX can describe the motivations and capabilities implied by a particular threat, along with suggested responses. The idea is that this well-structured data exchange can drive a number of machine-to-machine security event identification, processing and remediation activities. It defines a series of observable events, incidents and indicator patterns, along with what exploits have happened and recommended courses of action. STIX enables organizations and tools to share threat intelligence with one another in a way that improves many different capabilities, such as collaborative threat analysis, automated threat exchange, detection, and response.

Actually, STIX works in conjunction with another open standard called Trusted Automated Exchange of Indicator Information (TAXII). It defines the transport mechanism for moving the STIX information from one tool to another. Think of them this way: STIX defines the “what” of a potential threat while TAXII defines the “how” the threat happened. The two standards are maintained by the Organization for the Advancement of Structured Information Standards (OASIS) and share many common engineers. More information about the technical details about both standards and their evolution can be found in this blog post.

Both standards had their origins with the government contractor MITRE and its program to categorize threats in its ATT&CK project. One of the government bodies that has been a recipient of the STIX and TAXII efforts is the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security. CISA uses these standards in a program it calls Automated Information Sharing. The program anonymizes submissions by default when transmitting them, meaning that the identity of the submitter is not revealed without the prior express consent of the submitter. CISA keeps track of major threats and alerts businesses and the public accordingly.

Like any multi-vendor standards effort, this evolutionary process is lengthy. The final versions published by OASIS took several years to produce, but they show that both standards continue to be useful and receive wide vendor support. The latest round of both standards have been implemented by numerous vendors, including Accenture Security, Anomali, Avast Software, Celerium, Cyware Labs, DarkLight, EclecticIQ, FreeTAXII, Fujitsu, IBM, New Context, SEKOIA, and Trend Micro.

Avast's Chief Architect of Threat Defense Technology Allan Thomson has been involved in the STIX and TAXII standards bodies for several years and has been a co-chair of one of the interoperability committees. “For the past six months, we have been moving towards using STIX2 as a standard mechanism to consume external data feeds from other partners to help us integrate their data much more quickly and consistently across different data sets. This will also help us respond to threats more effectively.” 

Further reading:
From planes to AI, Allan Thomson has been playing wargames for decades