Blog

Learn How To Standardize Threat Intelligence With STIX And TAXII

Joe Franscella
May 13, 2016
Table of contents
<p>It’s quite obvious that threat intelligence is used to prevent cyber theft. The data you hold is extremely valuable and if it were to get into the wrong hands, could cost you a lot of money. Having a cybersecurity program that uses the best insight to keep those thefts to a minimum is ideal, but what if there was more you could do? By talking with other organizations that have come across cyber thefts, you can learn how to protect yourself better. And cyber sharing software allows for that to happen, but because it can be a complicated and irregular program, <a href="http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/why-we-should-care-about-stix-taxii/" target="_blank">STIX and TAXII</a> are used to standardize the process so that sharing information across organizations is understandable.</p><p><strong>STIX</strong></p><p>STIX isn’t the actual sharing software, but an add-on communication program that <a href="https://www.anomali.com/blog/4-ways-analysts-can-make-more-sense-of-threat-data">standardizes the language of threat intelligence</a> within the software. This is an extremely important piece because there’s not going to be an open sharing process if no one can understand what anyone else is saying. So having a program like STIX, which unifies these different languages, is crucial to promoting a sharing process that’s open to everyone.</p><p>The language it uses includes a myriad of terms, including:</p><ul><li><strong>Observable</strong> - a particular event or someone’s property</li><li><strong>Indicator</strong> - something that observes with context. It can include specifics like time range and intrusion detection rules</li><li><strong>Incident </strong>- similar activity that indicates a particular threat</li><li><strong>TTP </strong>- the threat’s method of attack</li><li><strong>Exploit Target </strong>- the threat’s weakness you should target after analyzing the TTP</li><li><strong>Course of Action </strong>- type of defense used against the threat</li><li><strong>Campaign </strong>- collection of information on the threat</li><li><strong>Threat Actor</strong> - the threat</li></ul><p>By having this overall understanding of terms, people can understand what information is shared and received so that they can learn from other attacks.</p><p><strong>TAXII</strong></p><p>Much like STIX, TAXII is not the actual sharing program itself, but another add-on that is used to standardize the program. It provides a set of parameters and specifications for the transfer of threat information. So instead of everyone sending information in different forms through separate mediums, there are only a few different options from which to choose.</p><p>The three <a href="https://www.anomali.com/blog/stix-taxii-hacks-4-things-you-need-to-know">sharing modules</a> TAXII provides are:</p><ul><li><strong>Peer-to-Peer</strong> - many different organizations share information</li><li><strong>Hub and Spoke</strong> - a single, central clearing house</li><li><strong>Source/Subscriber</strong> - there’s only one main source of information</li></ul><p>TAXII also provides the following four optional services and allows participants to mix and match at their will:</p><ul><li><strong>Inbox</strong> - where you can receive push messages</li><li><strong>Poll</strong> - allows you to request content</li><li><strong>Collection Management</strong> - you can request and subscribe to data collections</li><li><strong>Discovery</strong> - learn about different services and how to use them</li></ul><p>Without these service parameters, users who want to <a href="http://www.statetechmagazine.com/article/2015/06/stix-and-taxii-provide-higher-standard-threat-intelligence" target="_blank">share or request</a> cyber threat information will do so in an unorganized way that could cause a lot of confusions. With them in place, many different people can benefit from the sharing of information. It also gives the person sharing more control because they get to choose the service and modules they use.</p><p>So the importance of standardized threat intelligence is determined by how organizations communicate with each other. Without STIX and TAXII, it becomes a huge mess of unknown terms in formats that confuse the recipients. But by using them as add-ons to your current software, everything will become straightforward and regulated so that data will be better protected and cyber thieves will be phased out.</p><p>For more information on new ways to protect your data, download this free white paper today!</p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-79cc3352-61a2-44b7-8b7c-6f25d759918c"><span class="hs-cta-node hs-cta-79cc3352-61a2-44b7-8b7c-6f25d759918c" data-hs-drop="true" id="hs-cta-79cc3352-61a2-44b7-8b7c-6f25d759918c" style="visibility: visible; display: block; text-align: center;"><a class="cta_button" cta_dest_link="{page_3458}" href="https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=4f082f1c-a704-4df4-a627-a030c2f8e351&amp;placement_guid=79cc3352-61a2-44b7-8b7c-6f25d759918c&amp;portal_id=458120&amp;redirect_url=APefjpFbkHby4m2kUiIAwMQa206M4pB1JVS26cDw81ZF2Vpg5rzDBDAsgbuqzyyunc5N1IQK1rnzDYH29-LbPJo4BLCOg6j-J08DUOl4E_kRIfWJ8xHvNxnYEv32QPwlsNjD3EQd36rFiPSkNA6C-Q6t2s-FROVqtk3rSpUgYfz1Ltls2hBBn9lxIG2VXaDwL8JdPkXfUxYCeourxTTWQF7AjYk49r4c0vx5WG8NSyZxsCnvEbsENmui2IlLOHOrQiF9R5_HP7V3gyDVveKFNbzjGFrjcgr9uf3Aq6sBCi0JGmsLIfuXuAtyoBfVlW0OQkduFaFl_A3LfYnboBT6eLm5fUkIQOcIdw&amp;hsutk=2767d93d6471d657e0c9f660e4b58ef8&amp;utm_referrer=https%3A%2F%2Fblog.anomali.com%2Flearn-how-to-standardize-threat-intelligence-with-stix-and-taxii&amp;canon=https%3A%2F%2Fblog.anomali.com%2Flearn-how-to-standardize-threat-intelligence-with-stix-and-taxii&amp;pageId=4265712290&amp;__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478831861868.1478887113345.180&amp;__hssc=41179005.36.1478887113345&amp;__hsfp=1335165674" id="cta_button_458120_4f082f1c-a704-4df4-a627-a030c2f8e351" style="margin: 20px auto;" target="_blank" title="Download Here">Download Here </a> </span> <script charset="utf-8" src="https://js.hscta.net/cta/current.js"></script> <script type="text/javascript">hbspt.cta.load(458120, '79cc3352-61a2-44b7-8b7c-6f25d759918c', {});</script> </span></p>
Joe Franscella

Joe Franscella is the former Vice President of Corporate Communications at Anomali.

Discover More About Anomali

Get the latest news about Anomali's Security and IT Operations platform,

SEe all Resources
No items found.
No items found.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

May 13, 2016
-
Joe Franscella
,

Learn How To Standardize Threat Intelligence With STIX And TAXII

<p>It’s quite obvious that threat intelligence is used to prevent cyber theft. The data you hold is extremely valuable and if it were to get into the wrong hands, could cost you a lot of money. Having a cybersecurity program that uses the best insight to keep those thefts to a minimum is ideal, but what if there was more you could do? By talking with other organizations that have come across cyber thefts, you can learn how to protect yourself better. And cyber sharing software allows for that to happen, but because it can be a complicated and irregular program, <a href="http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/why-we-should-care-about-stix-taxii/" target="_blank">STIX and TAXII</a> are used to standardize the process so that sharing information across organizations is understandable.</p><p><strong>STIX</strong></p><p>STIX isn’t the actual sharing software, but an add-on communication program that <a href="https://www.anomali.com/blog/4-ways-analysts-can-make-more-sense-of-threat-data">standardizes the language of threat intelligence</a> within the software. This is an extremely important piece because there’s not going to be an open sharing process if no one can understand what anyone else is saying. So having a program like STIX, which unifies these different languages, is crucial to promoting a sharing process that’s open to everyone.</p><p>The language it uses includes a myriad of terms, including:</p><ul><li><strong>Observable</strong> - a particular event or someone’s property</li><li><strong>Indicator</strong> - something that observes with context. It can include specifics like time range and intrusion detection rules</li><li><strong>Incident </strong>- similar activity that indicates a particular threat</li><li><strong>TTP </strong>- the threat’s method of attack</li><li><strong>Exploit Target </strong>- the threat’s weakness you should target after analyzing the TTP</li><li><strong>Course of Action </strong>- type of defense used against the threat</li><li><strong>Campaign </strong>- collection of information on the threat</li><li><strong>Threat Actor</strong> - the threat</li></ul><p>By having this overall understanding of terms, people can understand what information is shared and received so that they can learn from other attacks.</p><p><strong>TAXII</strong></p><p>Much like STIX, TAXII is not the actual sharing program itself, but another add-on that is used to standardize the program. It provides a set of parameters and specifications for the transfer of threat information. So instead of everyone sending information in different forms through separate mediums, there are only a few different options from which to choose.</p><p>The three <a href="https://www.anomali.com/blog/stix-taxii-hacks-4-things-you-need-to-know">sharing modules</a> TAXII provides are:</p><ul><li><strong>Peer-to-Peer</strong> - many different organizations share information</li><li><strong>Hub and Spoke</strong> - a single, central clearing house</li><li><strong>Source/Subscriber</strong> - there’s only one main source of information</li></ul><p>TAXII also provides the following four optional services and allows participants to mix and match at their will:</p><ul><li><strong>Inbox</strong> - where you can receive push messages</li><li><strong>Poll</strong> - allows you to request content</li><li><strong>Collection Management</strong> - you can request and subscribe to data collections</li><li><strong>Discovery</strong> - learn about different services and how to use them</li></ul><p>Without these service parameters, users who want to <a href="http://www.statetechmagazine.com/article/2015/06/stix-and-taxii-provide-higher-standard-threat-intelligence" target="_blank">share or request</a> cyber threat information will do so in an unorganized way that could cause a lot of confusions. With them in place, many different people can benefit from the sharing of information. It also gives the person sharing more control because they get to choose the service and modules they use.</p><p>So the importance of standardized threat intelligence is determined by how organizations communicate with each other. Without STIX and TAXII, it becomes a huge mess of unknown terms in formats that confuse the recipients. But by using them as add-ons to your current software, everything will become straightforward and regulated so that data will be better protected and cyber thieves will be phased out.</p><p>For more information on new ways to protect your data, download this free white paper today!</p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-79cc3352-61a2-44b7-8b7c-6f25d759918c"><span class="hs-cta-node hs-cta-79cc3352-61a2-44b7-8b7c-6f25d759918c" data-hs-drop="true" id="hs-cta-79cc3352-61a2-44b7-8b7c-6f25d759918c" style="visibility: visible; display: block; text-align: center;"><a class="cta_button" cta_dest_link="{page_3458}" href="https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=4f082f1c-a704-4df4-a627-a030c2f8e351&amp;placement_guid=79cc3352-61a2-44b7-8b7c-6f25d759918c&amp;portal_id=458120&amp;redirect_url=APefjpFbkHby4m2kUiIAwMQa206M4pB1JVS26cDw81ZF2Vpg5rzDBDAsgbuqzyyunc5N1IQK1rnzDYH29-LbPJo4BLCOg6j-J08DUOl4E_kRIfWJ8xHvNxnYEv32QPwlsNjD3EQd36rFiPSkNA6C-Q6t2s-FROVqtk3rSpUgYfz1Ltls2hBBn9lxIG2VXaDwL8JdPkXfUxYCeourxTTWQF7AjYk49r4c0vx5WG8NSyZxsCnvEbsENmui2IlLOHOrQiF9R5_HP7V3gyDVveKFNbzjGFrjcgr9uf3Aq6sBCi0JGmsLIfuXuAtyoBfVlW0OQkduFaFl_A3LfYnboBT6eLm5fUkIQOcIdw&amp;hsutk=2767d93d6471d657e0c9f660e4b58ef8&amp;utm_referrer=https%3A%2F%2Fblog.anomali.com%2Flearn-how-to-standardize-threat-intelligence-with-stix-and-taxii&amp;canon=https%3A%2F%2Fblog.anomali.com%2Flearn-how-to-standardize-threat-intelligence-with-stix-and-taxii&amp;pageId=4265712290&amp;__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478831861868.1478887113345.180&amp;__hssc=41179005.36.1478887113345&amp;__hsfp=1335165674" id="cta_button_458120_4f082f1c-a704-4df4-a627-a030c2f8e351" style="margin: 20px auto;" target="_blank" title="Download Here">Download Here </a> </span> <script charset="utf-8" src="https://js.hscta.net/cta/current.js"></script> <script type="text/javascript">hbspt.cta.load(458120, '79cc3352-61a2-44b7-8b7c-6f25d759918c', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.