In terms of collaboration, Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) represent a revolution in the security industry. These protocols transformed the field of threat intelligence from a fragmented collection of information to a unified standard for information sharing. In this blog, I will examine this transition and how it came about.
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” In short, threat intelligence combines all known information about previously encountered threats to aid organizations in identifying and responding to similar threats in the future.
The old days of threat intelligence
Like any game of cat and mouse, the security industry has been chasing after cyber threats for as long as many IT professionals can remember. The more sophisticated and organized cyber attacks became, the harder security vendors worked to create comprehensive solutions. These security solutions eventually met all areas of attack detection and mitigation, and could produce every component of threat intelligence. Unfortunately, these components were highly disjointed due to multiple formats and sharing protocols.
Think about this in terms of a ransomware attack. Organizations rarely use just one security solution to deal with ransomware. Many need separate tools to identify ransomware activity in the first place, record information about malicious files, and actually respond to the threat. Now, imagine if all these tools couldn’t share threat information with each other.
Well, that was a big problem in the past; each tool used its own formats, and admins needed custom communication protocols to share information between security solutions. As you can imagine, consolidating threat information from all these sources took a lot of time. And with modern cyber attacks demanding immediate attention, less than real-time threat intelligence just wasn’t going to cut it anymore.
The STIX and TAXII revolution
In response to these problems, MITRE Corporation and the Department of Homeland Security together developed STIX and TAXII, community-driven protocols for information sharing that include details on what’s going on in the cybersecurity landscape, and how organizations can protect their network and analyze threats. Developing a common language across product and organizational boundaries opened the door for multiple sources to collaboratively update information about a single threat, giving organizations more complete threat intelligence. Together, STIX and TAXII have made sharing threat data more convenient and instantaneous, ensuring enterprises can quickly and effectively detect and respond to incidents.
Threat feeds based on STIX and TAXII provide up-to-date, reliable threat information, which is why many vendors have incorporated these protocols into their security solutions. In fact, our own log management solution, EventLog Analyzer, comes with a built-in STIX/TAXII threat feed processor, using the latest threat intelligence to monitor network logs for threats. You can learn more about it with this free solution brief.