STIX and TAXII: Sharing cyber threat intelligence
STIX (Structured Threat Information Expression) is a language for describing cyber threat information so that it can be analyzed and/or exchanged. STIX makes it possible to explicitly characterize a cyber adversary’s motivations, capabilities, and activities, and in doing so, determine how to best defend against them. TAXII (Trusted Automated Exchange of Indicator Information) defines services and message exchanges that enable organizations to share the information they choose with the partners they choose.
Here’s a transcript of the podcast for your convenience.
Thank you for joining us today – we have Allan Thomson with us. Allan is the CTO of LookingGlass Cyber Solutions, and he’s going to share a bit about STIX and TAXII with us, so that we can better understand how this affects the cybersecurity industry at large. So, Allan, let’s start at the beginning. What did the STIX and TAXII standards address?
Well, that’s actually a very good question. A lot of the industry hear a lot of buzz about STIX and TAXII, and one of the key things that STIX is trying to solve is exchanging cyberthreat intelligence between different systems. Some of the important use cases are data feed providers such as an intel provider trying to share what indicators they see for threats, and sharing that with either TIPS – Threat Intelligence Platforms, sharing it with threat mitigation systems for example, like a firewall. Able to then identify that threat as it occurs in the wild, and then be able to block that. So, STIX is a schema for threat intelligence.
TAXII on the other hand is an application protocol that runs on top of HTTP, and it allows systems to exchange STIX content. And so, typically TAXII would be a separate component from say a TIP or a data feed provider, but they would exchange their content between the data feed provider via TAXII to the threat intel platform.
Thank you! You shared a little bit about what the standard is, but can you help us better understand how cybersecurity industry at large is going to benefit once we get compliance on these two standards?
Well, anybody who’s ever been in the industry for a while knows the challenges of data integration. Most data providers or data integrators spend a significant time dealing with different proprietary data formats. They deal with a lot of different incompatibilities of how vendors have interpreted their data versus another. And so STIX starts to identify a common scheme or a common language that all vendors can coalesce behind, and that will ultimately drive a lot of interoperability and capability to share systems.
The other key thing is the cost associated with it. So, not just as a vendor like ourselves, but also customers who are looking to integrate products from different vendors, they potentially could spend a lot of money on advanced services and custom integrations to make their products integrate. By having standards where product vendors can off the shelf integrate, it will save both the vendors as well as our paying customers money.
I understand that you are a co-chair for the OASIS subcommittee on STIX and TAXII. So my question would be, where do you see the roadmap for these two standards going?
STIX 2.0 and TAXII 2.0 are significantly improved over STIX 1 and TAXII 1. A lot of the consumers of STIX and TAXII might be thinking that we’re talking about the earlier versions. The 2.0 versions are significantly improved; they’re much more efficient. They’ve also changed how they model things to much more accurately reflect how analysts and threat intelligence operations behavior takes place.
The other key thing is that STIX 2.0 has just come out as a community specification, and that’s a great start. But there’s a lot more work to be done in terms of supporting analyst tradecraft. So, for example, STIX 2.1 which is targeting the fall of 2017 is introducing things like intel notes and opinion objects, which support analysts being able to share and enrich the data across those systems that I mentioned earlier.
Well, thank you, you really answered my next question which was all about how the companies participate in this, and that’s all about as I understand, the community groups that they can feed directly into and impact the shape of the standards. The question I would have now is what should companies ask their vendors about STIX and TAXII and compliance, and how is that going to shape their decision?
As co-chair of the interoperability committee, one of the things that we’re pushing for is vendors and organizations to self-certify their product and their capability. So, as a consumer of a potential vendor’s products, I would ask them: have they certified their self-certification for interoperability? And you can actually go to the OASIS website and check out – is that vendor listed and what personas, what products have they tested and what test have they actually performed? And so, you can, as a consumer, check up on the vendors and say ‘Okay, yep, that product is or is not compliant to STIX and TAXII 2.0.
As the industry matures in this regard, you will start to see a lot more organizations hopefully self-certifying their capability, but you need to look beyond of just the label of STIX and TAXII. You really need to look at the depth and understanding what does that mean in terms of their support, what other capabilities do they support? Do they share indicators or do they share much more deep context which a lot of the industry really needs around TTPs and campaign and intrusion sets. Those are some of the meaty aspects of threat intelligence that only a few vendors really are able to do, and the STIX TAXII interoperability actually tests some of those key capabilities.
Well, you convinced me that one of the reasons that we ought to be talking about this is because it does shape cybersecurity industries moving forward. So, thank you to Allan Thomson, CTO of Looking Glass for your time today, appreciate it!