It is becoming increasingly necessary for organizations to have a cyber threat intelligence capability and a key component of success for any such capability is information sharing with partners, peers and others they select to trust. While cyber threat intelligence and information sharing can help focus and prioritize the use of the immense volumes of complex cyber security information organizations face today, they have a foundational need for standardized, structured representations of this information to make it tractable. The Structured Threat Information eXpression (STIX™) is a quickly evolving, collaborative community-driven effort to define and develop a language to represent structured threat information. The STIX language is meant to convey the full range of cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. Though relatively new and still evolving, it is actively being adopted or considered for adoption by a wide range of cyber threat-related organizations and communities around the world. All interested parties are welcome to participate in evolving STIX as part of its open, collaborative community via the STIX web site, email discussion lists and other collaborative forums.
https://stixproject.github.io/about/
Structured Threat Information Expression (STIX™)
is a structured language for describing cyber threat information so it
can be shared, stored, and analyzed in a consistent manner.
The
STIX whitepaper
describes the motivation and architecture behind STIX. At a high level
the STIX language consists of 9 key constructs and the relationships
between them:
- Observables describe what has been or might be seen in cyber
- Indicators describe patterns for what might be seen and what they mean if they are
- Incidents describe instances of specific adversary actions
- Adversary Tactics, Techniques, and Procedures
describe attack patterns, malware, exploits, kill chains, tools,
infrastructure, victim targeting, and other methods used by the
adversary
- Exploit Targets describe vulnerabilities, weaknesses, or configurations that might be exploited
- Courses of Action describe response actions that may be taken in response to an attack or as a preventative measure
- Campaigns describe sets of incidents and/or TTPs with a shared intent
- Threat Actors describe identification and/or characterization of the adversary
- Reports collect related STIX content and give them shared context
How do I get it?
The current release is
STIX Version 2.0, which is available on the
STIX 2.0 website.
An archive of
previous releases is hosted on this website.
Bindings and related tools to help process and work with STIX are
open source on Github.
Where can I find examples of STIX data? Are there any STIX repositories?
The
Samples page
on this website hosts full threat reports expressed via STIX, including
Mandiant’s APT1 report and FireEye’s Poison Ivy report.
Idioms also provide good constrained examples.
In addition to the MITRE samples, community members have set up
TAXII repositories containing STIX content and even directories pointing to those repositories. One example repository is
http://hailataxii.com.
The primary way to use STIX is of course via commercial products. See
“Who is using STIX?” for more information.
If you’re developing a product or tool, the current STIX reference
implementation is in XML so any XML libraries are suitable for producing
and consuming STIX XML. The project also maintains open-source
Python bindings and other
Utilities to make working with STIX at the code level easier.
Documentation and
Suggested Practices, as well as
Examples, can help you understand how to use the STIX Language conceptually (beyond just producing the XML).
Who is using STIX?
The OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) hosts “STIX/CybOX/TAXII Supporters” lists for both
products and
open source projects. You can add your product/project via their
registration form.
In additon, the
STIX Blog also notes vendor press releases and announcements.
TAXII
TAXII (Trusted Automated
eXchange of Indicator Information) is the main transport mechanism for
cyber threat information represented in STIX. Through the use of TAXII
services, organizations can share cyber threat information in a secure
and automated manner.
The STIX and TAXII communities work closely together (and in fact
consist of many of the same people) to ensure that they continue to
provide a full stack for sharing threat intelligence.
