TAXII (Trusted Automated eXchange of Indicator Information) provides standardized mechanisms and communication models for distributing and exchanging cyber threat information. It is designed to work with the STIX cyber threat description language, but also works with other formats.
What is TAXII (Trusted Automated eXchange of Indicator Information)?
The acronym TAXII stands for Trusted Automated eXchange of Indicator Information. TAXII provides standardized distribution mechanisms to transport, exchange and distribute cyber threat information. The standard is compatible with STIX (Structured Threat Information eXpression), the language used to describe cyber threats, but also works with other description formats.
By using TAXII services and STIX, organizations are able to share cyber threats in an automated, secure, and efficient manner. The transport takes place over the encrypted HTTPS (Hypertext Transfer Protocol Secure). There is close collaboration between the STIX and TAXII communities and standards organizations. Both standards are maintained and further developed by the non-profit organization OASIS (Organization for the Advancement of Structured Information Standards). The current version is TAXII 2.0.
Operating principle and communication models
Trusted Automated eXchange of Indicator Information defines a RESTful API and various requirements for TAXII servers and clients. Different communication models can be implemented to distribute the information. These models are:
- Hub-and-Spoke
Source and subscriber - Peer-to-peer
In hub-and-spoke, the hub acts as the central collection point. Spokes can deliver information to or obtain information from the hub. In the source-and-subscriber communication model, a single organization acts as the information source. It sends the information to its subscribers. The peer-to-peer model allows information to be shared directly between any organization. No central authority exists to organize the exchange of information.
To represent these communication models, Trusted Automated eXchange of Indicator Information defines the two basic services Collection and Channel. Collections enable the exchange of information between client and server based on the request-response principle. Channels work according to the push principle. Basically, Trusted Automated eXchange of Indicator Information uses existing protocols such as DNS or HTTPS for communication.
Differentiation between TAXII and STIX
The terms TAXII and STIX are often used together. However, they are independent standards with different tasks and functions. While STIX defines the language for describing cyber threats, Trusted Automated eXchange of Indicator Information provides the necessary mechanisms and functions for distributing the information. TAXII works in principle with other formats but is optimized to use the STIX language.
The main differences between the TAXII 1 and 2 versions.
The current version of Trusted Automated eXchange of Indicator Information is 2.0, which has two major differences compared to version 1. While version 1 can in principle uses different transport protocols, version 2.0 is specifically designed to use HTTPS. In addition, version 2.0 provides a RESTful interface for data and services based on HTTPS.
Application Areas
Together with STIX, TAXII supports numerous applications in the cyber threat defense environment. Organizations can share information about current threat situations and strengthen their cyber defenses. Some IT security products, such as logging systems or firewalls, have interfaces to TAXII and STIX. They can use these to record information and take automated measures.
