Blog

STIX/TAXII: All Your Questions Answered

STIX/TAXII are a set of open source standards that define how to share cyber threat intelligence. Learn more about the features, history, and tools for STIX/TAXII...

Anissa Khalid
May 4, 2017
Table of contents
<h2>What are they?</h2><p>STIX/TAXII are community-driven standards and protocols for sharing cyber threat intelligence. Technically speaking, STIX and TAXII are not sharing programs, tools, or software, but rather components and standards that support them. STIX states the what of threat intelligence, while TAXII defines how that information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable and therefore easily automated. Both possess an active community of developers and analysts.</p><p>STIX/TAXII specifically aims to improve security measures in a few ways:</p><ul><li>Extend the capabilities of current threat intelligence sharing</li><li>Turn focus of security outward rather than inward</li><li>Balance response with proactive detection</li><li>Encourage a holistic approach to threat intelligence</li></ul><h2>Where did they come from?</h2><p>These standards were developed by the <a href="https://www.mitre.org/" target="_blank">MITRE Corporation</a> and the <a href="https://www.dhs.gov/" target="_blank">Department of Homeland Security (DHS)</a>. As of 2015, both STIX and TAXII were transitioned to the <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti" target="_blank">OASIS Cyber Threat Intelligence (CTI) TC</a>, which is recognized internationally as a non-profit consortium that drives the development, convergence, and adoption of open source standards for the Internet. The DHS continues to play an active role within the development of STIX/TAXII, but concentrates its efforts on promoting worldwide adoption of these standards.</p><h2>How are they used?</h2><p>STIX/TAXII supports a variety of use cases regarding cyber threat management, including analyzing cyber threats, specifying indicator patterns, and managing and sharing cyber threat information. Wide adoption of STIX/TAXII has been seen by governments and <a href="https://www.nationalisacs.org/" target="_blank">Information Sharing and Analysis Centers</a> (ISACs), which range in focus from industry to geolocation.</p><p>Sharing Categorized Information - Organizations can push and pull information into categories. For example, if one industry experiences a targeted phishing attack, they can share that information within the phishing category of the ISAC. Other organizations can automatically ingest that intelligence and bolster their own defenses.</p><p style="text-align: center;"><img alt="ISAC TAXII server" src="https://cdn.filestackcontent.com/Vy5IXnA0Tc53uNmEKv6A"/></p><p>Sharing with Groups - Organizations with a TAXII client can push and pull information into the TAXII servers of trusted sharing groups. Some organizations may have access to private groups within these ISACs that provide more detailed information.</p><p style="text-align: center;"><img alt="ISAC TAXII server" src="https://cdn.filestackcontent.com/ocMaShR1Rx2MBJdJHba1"/></p><h2>Can I use STIX/TAXII?</h2><p>There are many ways to get involved with STIX/TAXII. If you’d like to engage with the community and contribute to creation efforts, you can <a href="https://www.oasis-open.org/committees/join" target="_blank">join the OASIS TC</a>. If you’d like to learn more about STIX/TAXII, here are some additional resources:</p><p class="nobottommargin"><strong>STIX/TAXII Overviews</strong></p><ul><li><a href="https://oasis-open.github.io/cti-documentation/" target="_blank">GitHub</a></li><li><a href="https://wiki.oasis-open.org/cti/FrontPage" target="_blank">OASIS CTI TC Wiki</a></li></ul><p class="nobottommargin"><strong>STIX</strong></p><ul><li><a href="https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.j0uqagkk6m9n" target="_blank">Detailed description of STIX 2.0 </a>(Google Doc)</li><li><a href="https://oasis-open.github.io/cti-documentation/stix/compare" target="_blank">Information on the differences between STIX 1.x/CybOX 2.x and STIX 2.0 </a>(GitHub)</li></ul><p class="nobottommargin"><strong>TAXII</strong></p><ul><li><a href="http://taxii.mitre.org/community/registration.html" target="_blank">TAXII Discussion and Announcement mailing lists</a></li><li><a href="https://github.com/TAXIIProject/libtaxii" target="_blank">Python library for managing TAXII messages and services</a> (GitHub)</li><li><a href="https://github.com/TAXIIProject/yeti" target="_blank">Proof of concept TAXII server Yeti</a> (GitHub)</li><li><a href="http://hailataxii.com/" target="_blank">Access open source feeds via Hailataxii</a></li></ul><h2>What Tools Can You Use with STIX/TAXII?</h2><p>Anomali provides a utility called <a href="https://www.anomali.com/community/staxx">STAXX</a> that allows you to easily subscribe to any STIX/TAXII feed for free. To start you simply:</p><ol><li>Download the STAXX client</li><li>Configure your data sources</li><li>Set up your download schedule</li></ol> <script async="" src="https://fast.wistia.com/embed/medias/8g9f2ed73f.jsonp"></script><script async="" src="https://fast.wistia.com/assets/external/E-v1.js"></script> <div class="bottommargin-sm wistia_responsive_padding" style="padding:56.25% 0 0 0;position:relative;"><div class="wistia_responsive_wrapper" style="height:100%;left:0;position:absolute;top:0;width:100%;"><div class="wistia_embed wistia_async_8g9f2ed73f seo=false videoFoam=true" style="height:100%;width:100%"> </div></div></div><p>Signing up for an account on the STAXX portal allows users to link from an Indicator of Compromise (IOC) to information that identifies threat Actors, Campaigns, and TTPs. Users can also access additional Anomali threat intelligence feeds, and preview features of Anomali’s Threat Intelligence Platform, <a href="https://www.anomali.com/products/threatstream">ThreatStream</a>.</p><div class="content-block bg-grey-gradient bottommargin-sm"><div class="row"><div class="center col-xs-12 col-sm-4 col-md-3"><img alt="What are STIX / TAXII whitepaper" src="https://cdn.filestackcontent.com/IXw44qkbRiKdZwP6WnHU" style="width: 300px;"/></div><div class="col-xs-12 col-sm-8 col-md-9 col-lg-9"><h2>What are STIX/TAXII?</h2><p class="text-lg"><a class="button button-xlarge button-rounded button-border button-blue" href="{page_3449}">Read It Now</a></p></div></div></div>
Anissa Khalid

Anissa Khalid is the former Head of Global Demand Generation Marketing at Anomali.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

May 4, 2017
-
Anissa Khalid
,

STIX/TAXII: All Your Questions Answered

<h2>What are they?</h2><p>STIX/TAXII are community-driven standards and protocols for sharing cyber threat intelligence. Technically speaking, STIX and TAXII are not sharing programs, tools, or software, but rather components and standards that support them. STIX states the what of threat intelligence, while TAXII defines how that information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable and therefore easily automated. Both possess an active community of developers and analysts.</p><p>STIX/TAXII specifically aims to improve security measures in a few ways:</p><ul><li>Extend the capabilities of current threat intelligence sharing</li><li>Turn focus of security outward rather than inward</li><li>Balance response with proactive detection</li><li>Encourage a holistic approach to threat intelligence</li></ul><h2>Where did they come from?</h2><p>These standards were developed by the <a href="https://www.mitre.org/" target="_blank">MITRE Corporation</a> and the <a href="https://www.dhs.gov/" target="_blank">Department of Homeland Security (DHS)</a>. As of 2015, both STIX and TAXII were transitioned to the <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti" target="_blank">OASIS Cyber Threat Intelligence (CTI) TC</a>, which is recognized internationally as a non-profit consortium that drives the development, convergence, and adoption of open source standards for the Internet. The DHS continues to play an active role within the development of STIX/TAXII, but concentrates its efforts on promoting worldwide adoption of these standards.</p><h2>How are they used?</h2><p>STIX/TAXII supports a variety of use cases regarding cyber threat management, including analyzing cyber threats, specifying indicator patterns, and managing and sharing cyber threat information. Wide adoption of STIX/TAXII has been seen by governments and <a href="https://www.nationalisacs.org/" target="_blank">Information Sharing and Analysis Centers</a> (ISACs), which range in focus from industry to geolocation.</p><p>Sharing Categorized Information - Organizations can push and pull information into categories. For example, if one industry experiences a targeted phishing attack, they can share that information within the phishing category of the ISAC. Other organizations can automatically ingest that intelligence and bolster their own defenses.</p><p style="text-align: center;"><img alt="ISAC TAXII server" src="https://cdn.filestackcontent.com/Vy5IXnA0Tc53uNmEKv6A"/></p><p>Sharing with Groups - Organizations with a TAXII client can push and pull information into the TAXII servers of trusted sharing groups. Some organizations may have access to private groups within these ISACs that provide more detailed information.</p><p style="text-align: center;"><img alt="ISAC TAXII server" src="https://cdn.filestackcontent.com/ocMaShR1Rx2MBJdJHba1"/></p><h2>Can I use STIX/TAXII?</h2><p>There are many ways to get involved with STIX/TAXII. If you’d like to engage with the community and contribute to creation efforts, you can <a href="https://www.oasis-open.org/committees/join" target="_blank">join the OASIS TC</a>. If you’d like to learn more about STIX/TAXII, here are some additional resources:</p><p class="nobottommargin"><strong>STIX/TAXII Overviews</strong></p><ul><li><a href="https://oasis-open.github.io/cti-documentation/" target="_blank">GitHub</a></li><li><a href="https://wiki.oasis-open.org/cti/FrontPage" target="_blank">OASIS CTI TC Wiki</a></li></ul><p class="nobottommargin"><strong>STIX</strong></p><ul><li><a href="https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.j0uqagkk6m9n" target="_blank">Detailed description of STIX 2.0 </a>(Google Doc)</li><li><a href="https://oasis-open.github.io/cti-documentation/stix/compare" target="_blank">Information on the differences between STIX 1.x/CybOX 2.x and STIX 2.0 </a>(GitHub)</li></ul><p class="nobottommargin"><strong>TAXII</strong></p><ul><li><a href="http://taxii.mitre.org/community/registration.html" target="_blank">TAXII Discussion and Announcement mailing lists</a></li><li><a href="https://github.com/TAXIIProject/libtaxii" target="_blank">Python library for managing TAXII messages and services</a> (GitHub)</li><li><a href="https://github.com/TAXIIProject/yeti" target="_blank">Proof of concept TAXII server Yeti</a> (GitHub)</li><li><a href="http://hailataxii.com/" target="_blank">Access open source feeds via Hailataxii</a></li></ul><h2>What Tools Can You Use with STIX/TAXII?</h2><p>Anomali provides a utility called <a href="https://www.anomali.com/community/staxx">STAXX</a> that allows you to easily subscribe to any STIX/TAXII feed for free. To start you simply:</p><ol><li>Download the STAXX client</li><li>Configure your data sources</li><li>Set up your download schedule</li></ol> <script async="" src="https://fast.wistia.com/embed/medias/8g9f2ed73f.jsonp"></script><script async="" src="https://fast.wistia.com/assets/external/E-v1.js"></script> <div class="bottommargin-sm wistia_responsive_padding" style="padding:56.25% 0 0 0;position:relative;"><div class="wistia_responsive_wrapper" style="height:100%;left:0;position:absolute;top:0;width:100%;"><div class="wistia_embed wistia_async_8g9f2ed73f seo=false videoFoam=true" style="height:100%;width:100%"> </div></div></div><p>Signing up for an account on the STAXX portal allows users to link from an Indicator of Compromise (IOC) to information that identifies threat Actors, Campaigns, and TTPs. Users can also access additional Anomali threat intelligence feeds, and preview features of Anomali’s Threat Intelligence Platform, <a href="https://www.anomali.com/products/threatstream">ThreatStream</a>.</p><div class="content-block bg-grey-gradient bottommargin-sm"><div class="row"><div class="center col-xs-12 col-sm-4 col-md-3"><img alt="What are STIX / TAXII whitepaper" src="https://cdn.filestackcontent.com/IXw44qkbRiKdZwP6WnHU" style="width: 300px;"/></div><div class="col-xs-12 col-sm-8 col-md-9 col-lg-9"><h2>What are STIX/TAXII?</h2><p class="text-lg"><a class="button button-xlarge button-rounded button-border button-blue" href="{page_3449}">Read It Now</a></p></div></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.