STIX (Structured Threat Information eXpression) is a language standardized by OASIS to describe threats in the cyber environment. STIX can be read by humans directly or via tools and can be processed automatically by machines.
What is STIX (Structured Threat Information eXpression)?
The abbreviation STIX stands for Structured Threat Information eXpression. It is a standardized language for describing cyber threats. The information can be easily shared, stored, analyzed, or processed automatically. The cyber threats represented are both human-readable and can be integrated into machine processes.
OASIS (Organization for the Advancement of Structured Information Standards) provides language support. This non-profit organization promotes the development, dissemination, and use of open standards on the Internet.
A common application of Structured Threat Information eXpression is threat intelligence services. The distribution mechanism for the information is provided by TAXII (Trusted Automated eXchange of Indicator Information). The current version 2.0 can be found on the STIX-2.0 website. Tools and further bindings around the language are available on GitHub.
The nine elements described with Structured Threat Information eXpression.
Nine elements form the core of the language. The elements, as well as their interconnections, are described by STIX. The nine elements are:
- Observations in the cyber environment
- Indicators with patterns
- Incidents
- Attack techniques and procedures
- Exploit targets
- Countermeasures for attacks
- Campaigns consisting of multiple events or incidents with common intent
- Identifiers and characteristics of attack adversaries
- Reports with relevant content
Differentiation between STIX and TAXII
STIX and TAXII are often referred to in the same context but can be clearly distinguished from each other in terms of function and operation. Both standards were developed to inform and mitigate cyber threats. While STIX is the threat description language, TAXII provides the information distribution mechanisms.
Functions are provided such as automated and secured distribution or subscribing to records. TAXII works independently of the language and can in principle be used with other formats. With TAXII, the communication models hub-and-spoke, peer-to-peer, and source and the subscriber can be realized.
Differences between STIX 1.x and STIX 2.0
The current version is STIX 2.0, which has some differences compared to the previous 1.x versions. While versions 1.x worked with XML as serialization language, version 2.0 uses JSON. Another difference is that top-level relationship objects are present in the current version. The 1.x versions did not know this type of object and had to change one of the objects to describe a relationship between objects. The patterns of indicators were represented in XML syntax in the 1.x versions. Version 2.0 has its own pattern description language, which is independent of the serialization language.
Application areas of STIX in the field of threat intelligence
Structured Threat Information eXpression can be used to protect systems or networks from cyber threats. The language is used by, among others:
- Security professionals
- Security analysts
- Malware analysts
- Security software and hardware vendors
- Companies
The information provided can be used for the prevention, defense, and detection of threats. Many security products have corresponding STIX and TAXII interfaces and are able to process information in an automated way. This enables immediate response to threats and the exchange of information across vendor boundaries. For example, identifiers of malware can be passed to a firewall, which stops the malware from spreading further.