Knowing is Half the Battle: Leaner, cleaner, more accessible intelligence through TAXII and STIX

In the world of cybercrime, like in the physical world, the thief is often caught only after he makes off with the loot. With the advent of massive malware networks and ransomware groups, both internal teams and security providers often find themselves overwhelmed by the number and diversity of attacks. No single unit can detect all relevant threats and stop them before they damage valuable data or infrastructure.

Improving security by sharing threat intelligence is hardly a new concept. However, this sharing process has historically taken a lot of time and resources, even when just sharing intelligence within your own network.

To get the most out of a collaborative effort, you have to know what you want to share and how, and what information you’d like in return. And the process must be fast and convenient. In other words, you need a standard!

STIX, or Structured Threat Information eXpression™, and TAXII, or Trusted Automated eXchange of Indicator Information™, are two open, community-driven standards that allow the automated sharing of cybersecurity information. They help make information consumable and shareable in a standardized and open format, improving real-time prevention and raising threat awareness.

In the simplest terms, STIX defines what threat intelligence information should look like, while TAXII tells your network how it should be transmitted. Both standards are easy to read and automate.

STIX is a standard that aims to define the parameters of threat intelligence. While not a piece of software in itself, it can be integrated into security software. The STIX language often defines variables such as Exploit, Incident, Indicator or Threat Actor so everyone using the network knows exactly what that piece of threat intelligence describes.

For example, if your network identifies a complex phishing attempt, it can easily describe it in a way so that any other actor in the network (an MSSP for example) can immediately use the same indicators to prevent it.

As a constantly evolving standard, STIX has incorporated improvements that make the current version, STIX 2.0, more flexible and easier to implement. STIX 2.0 uses JSON, rather than XML, speeding the standard’s adoption, while also using a graph-based model, which allows analysts to see connections between data more clearly. The CybOX language has also been merged with the standard, allowing security actors to better identify threat events.  

TAXII is a standard that relies on a series of protocols that enable the sharing of standardized cyber threat information across multiple networks and platforms. TAXII is not a piece of software either, nor can it be used as an agreement between two parts – its role is to give users (individuals or organizations) the ability to share and receive the data they choose. TAXII is the main vehicle through which STIX is shared and an integral part of the TI process.

TAXII defines several sharing models such as Source/Subscriber (where there is a single publisher of information), Peer-to-Peer (multiple publishers) or Hub and Spoke (where there are several central locations). It also defines terms such as Inbox, Poll, Collection Management or Discovery so users know what exactly they can do within the same shared network.

These two standards can be an invaluable aid in the fight against cyber threats. They can greatly increase the capabilities of a threat intelligence network, anticipate attacks, and counter the growth of cybercrime.

Our Advanced Threat Intelligence solution now includes both the STIX 2.0 and TAXII protocols, as part of our Global Protective Network (GPN), delivering on our commitment to providing real-time insights into the cyber-threat landscape.

Our network of more than 500 million machines performs 7 billion queries per day, neutralizing even the most recent threats in as little as 3 seconds. By integrating STIX 2.0 and TAXII we can increase our capacity to deliver this best-in-class know-how to our clients and partners.

Our platform-agnostic approach allows Managed Security Service Providers, Managed Detection & Response companies, security consulting firms, and enterprises with SOC centers to access accurate and constantly updated data.

Powered by the latest technology and hundreds of millions of sensors, Bitdefender’s new Advanced Threat Intelligence eliminates long-standing blind spots for security analysts and enables their companies to thrive in an ever-changing security landscape.