![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/12\/Blogs-Banner-Q4-21-1-1024x535.png\" "\\"Security")
<\/p>\n<\/p>\n
Security Threat Intelligence Standards (STIX and TAXII) make day-to-day SOC<\/a> operations go uninterrupted with a shared strategy that provides a collaborative response to cybersecurity threats.<\/p>\n MITRE is one such organization that collaborates with industry and government institutions to develop a common approach towards cybersecurity by providing registries of baseline security data, establishing standardized languages for accurately communicating cybersecurity information, and defining proper utilization. One of MITRE’s first efforts to label security vulnerability was the\u00a0Common Vulnerabilities and Exposures (CVE\u00ae)<\/a>. It is the standard for naming vulnerabilities that allows security devices, programs, and entities to be linked. CVE compatibility has been reached in over 100 products and services from over 75 vendors.<\/p>\n As we speak, MITRE is currently working on two new projects for exchanging cyber threat information: the\u00a0Trusted Automated eXchange of Indicator Information (TAXIITM) and the Structured Threat Information eXpression (STIXTM)<\/a>, that are being funded by the United States Department of Homeland Security.<\/p>\n <\/p>\n TAXII is a chain of protocols that are used for safe and secure sharing of cyber-threat data for real-time observation, protection, and reducing cyber-attacks. While, STIX is a standard format for cyber-threat data, including cyber observables, indicators of compromise, incidents, and TTP (techniques, tactics, and procedures). In the areas of vulnerability management, software testing, application compliance, asset management, enterprise reporting, ransomware protection, configuration management, incident management, remediation, and threat knowledge sharing, TAXII and STIX together help communities in sharing the coordinated threat intelligence<\/a> and facilitate collective defense.<\/p>\n <\/p>\n MITRE and the OASIS Cyber Threat Intelligence (CTI) Technical Committee developed Structured Threat Information Expression (STIXTM), an international standard language and serialization format that has been adopted by many bits of intelligence exchange groups and organizations for exchanging cyber threat intelligence (CTI) in an order to describe the threat.<\/p>\n STIX 2.1 standard introduces STIX Domain Objects (SDO), which is an object-based method for organizing threat information that makes it easy to use the details required to make network security assessments. These objects are described as STIX Relationship Objects (SROs), which show how they relate to other objects, giving a clear picture of the danger. There are currently 18 STIX objects available to identify threat data, which can be grouped or linked to each other to indicate certain types of relationships to aid in the classification of threats.<\/p>\n Two STIX Relationship Objects (SROs) are described in STIX 2:<\/p>\n <\/p>\n The Trusted Automated Sharing of Intelligence Information (TAXIITM<\/sup>)is a framework that provides detailed information on how data regarding cyber-threat can be shared using HTTPS via message and service exchange. It was designed to provide extensive support to STIX content.<\/p>\n The three principal models for TAXII include:<\/p>\n Figure 1 Peer-to-peer \u2013 multiple groups share information<\/p>\n Peer to Peer is a sharing method in which two or more organizations communicate and exchange information directly. It can be ad hoc, where information is provided on an as-needed basis without prior coordination.<\/p>\n <\/p>\n Figure 2 Hib and Spoke \u2013 one source as primary repository while others facilitate information exchange<\/p>\n Hub and Spoke is a sharing strategy in which one organization serves as the primary repository for information, or hub, while other organizations, or spokes, facilitate information exchange. The Hub can be used to create and\/or consume information by the Spokes.<\/p>\n <\/p>\n Figure 3 Source\/subscriber \u2013 one single source of information<\/p>\n A source\/subscriber model can be described as one organization that serves as a single source of information and distributes it to subscribers.<\/p>\n <\/p>\n To support the listed\u00a0sharing models, TAXII defines two primary services:<\/p>\n The Channel keywords are reserved in the TAXII 2.1 specification, but its resources are not defined will be defined in a later version of TAXII. Collections and Channels can be set up in a variety of ways and maybe grouped to meet the needs of a specific trust group.<\/p>\n For example, one or more API Roots may be supported by a TAXII server instance. API Roots are considered to be a logical category of TAXII Channels and Collections. It can be considered as instances of the TAXII API which can be accessed at various URLs, with each API Root serving as the \u201croot\u201d URL for that particular instance of TAXII API..<\/p>\n The TAXII uses existing protocols but mostly, they are found within a network that is using DNS Service logs. It also uses HTTPS for all connectivity and HTTP for content negotiation and its authentication.<\/p>\n The sharing of CTI represented in STIX was originally developed for TAXII but the support for exchanging STIX 2.1 content is expected to implement in the coming future for TAXII. On the other hand, TAXII can be used to exchange data in other formats. It\u2019s notable to say that STIX and TAXII are separate standards with different architectures and serializations.<\/p>\n TAXII’s architecture concepts include minimizing the amount of organizational transition that is required for implementation, fast alignment with current sharing arrangements, and support for all commonly used threat sharing models, which also includes hub-and-spoke, peer-to-peer, and source-subscriber.<\/p>\n Figure 4: Primary Services<\/p>\n <\/p>\n STIX and TAXII are protocols that were created in an attempt to facilitate the detection and protection of cyber-attacks. They are machine-readable, therefore can be easily standardized, unlike prior ways of sharing. The \u201cwhat\u201d of threat intelligence is defined by STIX, while the \u201chow\u201d is defined by TAXII. It can be said that STIX\/TAXII helps strengthen the security measures:<\/p>\n <\/p>\n STIX\/TAXII is a transparent, community-driven initiative that offers free requirements to help in the automated expression of cyber threat information.<\/p>\n <\/p>\n Many use cases regarding cyber threat management are supported by the STIX\/TAXII. Various government bodies and the Information Sharing & Analysis Centres (ISACs) have adopted them. It ranges in focus from industry to geolocation.<\/p>\n <\/p>\n Organizations can push and pull information into categories. For example, if one industry has encountered a phishing attack, then they can share this information in the phishing category which comes in the Information Sharing and Analysis Centre (ISAC). This information can directly be utilized by other organizations to enhance their defence systems.<\/p>\n Figure 5: Use Case Scenario 1<\/p>\n <\/p>\n Organizations that have ties with TAXII clients, can pull and push data into the TAXII servers within their trusted sharing groups. Certain groups within these ISACs may have the access to private groups and can easily get more detailed information.<\/p>\n Figure 6: Use Case Scenario 2<\/p>\n <\/p>\n <\/p>\n Author,<\/p>\n Ram Mudigina<\/b><\/p>\n Associate Consultant<\/p>\n<\/div>\n SOCGTM Team,<\/p>\n Varutra Consulting Pvt. Ltd.<\/p>","protected":false},"excerpt":{"rendered":" Introduction: Security Threat Intelligence Standards (STIX and TAXII) make day-to-day SOC operations go uninterrupted with a shared strategy that provides a collaborative response to cybersecurity…<\/p>\n","protected":false},"author":4,"featured_media":18090,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[273,274,272],"tags":[577,576,572,407,574,573,575,399],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\tSecurity Threat <\/strong>Intelligence<\/strong> Standards:<\/strong><\/h3>\n
STIX<\/h4>\n
\n
\n
\n
\n
TAXII<\/strong><\/h4>\n
\n
![\"Peer-to-peer](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/12\/Peer-to-peer-\u2013-multiple-groups-share-information.png\")
<\/p>\nImage Source: <\/em>https:\/\/www.first.org\/resources\/papers\/munich2016\/wunder-stix-taxii-Overview.pdf<\/em><\/a><\/pre>\n
\n
![\"Hib](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/12\/Hib-and-Spoke-\u2013-one-source-as-primary-repository-while-others-facilitate-information-exchange.png\")
<\/p>\nImage Source: <\/em>https:\/\/www.first.org\/resources\/papers\/munich2016\/wunder-stix-taxii-Overview.pdf<\/em><\/a><\/pre>\n
\n
![\"Source](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/12\/Source-or-subscriber-\u2013-one-single-source-of-information.png\")
<\/p>\nImage Source:<\/em> https:\/\/www.first.org\/resources\/papers\/munich2016\/wunder-stix-taxii-Overview.pdf<\/em><\/a><\/pre>\n
\n
![\"Primary](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/12\/Primary-Services.png\")
<\/p>\nImage Source: https:\/\/www.anomali.com\/resources\/what-are-stix-taxii<\/a><\/pre>\n
Importance of Security Threat Intelligence Standards \u2013 STIX and TAXII<\/strong>:<\/strong><\/h3>\n
\n
Use Cases of Security Threat Intelligence Standards \u2013 STIX and TAXII<\/strong><\/h3>\n
Sharing categorized information<\/strong><\/h3>\n
![\"Use](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/12\/Use-Case-Scenario-1.png\")
<\/p>\nImage Source:\u00a0 https:\/\/www.anomali.com\/resources\/what-are-stix-taxii<\/a><\/pre>\n
Sharing with Groups<\/strong><\/h3>\n
![\"Use](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/12\/Use-Case-Scenario-2.png\")
<\/p>\nImage Source: https:\/\/www.anomali.com\/resources\/what-are-stix-taxi<\/a><\/pre>\n
References:<\/h3>\n
\n
\n