The Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.
STIX has been developed by the members of the Organization for the Advancement of Structured Information Systems (OASIS) Cyber Threat Intelligence Technical Committee (CTI TC). It is a TC with almost 300 members from major government agencies, private companies, and owners of critical infrastructure and key resource entities from around the world. The public web page can be accessed here.
In response to lessons learned in implementing previous versions (i.e. XML-based STIX 1 and subsequent minor revisions), STIX has been significantly redesigned and, as a result, omits some of the objects and properties defined in STIX 1.2.1. The objects chosen for inclusion in STIX 2.0 represent a minimally viable product (MVP) that fulfills basic consumer and producer requirements for CTI sharing. Objects and properties not included in STIX 2.0, but deemed necessary by the community, are currently being developed as STIX 2.1. Several of the data objects to be included in STIX 2.1 (e.g., Opinion & Note) will make the language even more useable by human analysts seeking to glean insights from machine-readable threat intelligence (MRTI) resources. This will be covered in a separate post.
What is STIX 2?
STIX 2.0 is a connected graph of nodes and edges. STIX Domain Objects define the graph nodes and STIX relationships (including STIX Relationship Objects and embedded relationships) define the edges. The full set of STIX Domain Objects and STIX Relationship Objects are known as STIX Objects. This graph-based language conforms to common analysis approaches and allows for flexible, modular, structured, and consistent representations of CTI.
STIX 2.0 defines a set of STIX Domain Objects (SDOs):
- Attack Pattern,
- Course of Action,
- Intrusion Set,
- Observed Data,
- Threat Actor,
- Tool, and
Each of these objects corresponds to a concept commonly used in CTI. Using the building blocks of SDOs alongside STIX relationships, entities can create and share broad and comprehensive CTI.
SDOs all share a common set of properties. These common properties provide standard capabilities such as versioning, data marking (representing how data can be shared and used), and extensibility. Each SDO also has a set of specific properties that are unique to that Object. The specification provides guidance on which of these properties are optional and which are required to be compliant with the standard.
A relationship is a link between two SDOs that describes the way in which the objects are related. Most relationships are represented using STIX Relationship Objects (SROs), while other special embedded relationships are represented as ID references. This conforms to common practice in graph data modelling.
Some parts of the STIX language require describing structured representation of observed objects and their properties in the cyber domain. These capabilities differ from the parts of STIX used to describe higher-level concepts in many ways and are therefore characterized differently. They are known as: Cyber Observables. These data objects describe one or more observed data points, for example, information about a file that existed, a process that was observed running, or that network traffic occurred between two IPs. It describes the facts concerning what happened, but not necessarily the who or when, and never the why.
In order to enhance detection of possibly malicious activity on networks and endpoints, a standard language is needed to describe what to look for in a cyber environment. The STIX Patterning language allows matching against timestamped Cyber Observable data (such as STIX Observed Data Objects) collected by a threat intelligence platform or other similar system so that other analytical tools and systems can be configured to react and handle incidents that might arise. STIX Patterning is a general concept that can be used anywhere, but in STIX it is currently used by the Indicator object.
Many SDOs contain properties whose values can be selected from a defined set of values. These sets of values are called vocabularies and are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. While using predefined values from STIX vocabularies is encouraged, in some cases this is not possible or desirable. STIX supports this by defining vocabularies as “open”, where entities are permitted to use values outside of the suggested vocabulary.
STIX is defined independent of any specific storage or serialization. However, the mandatory-to-implement (MTI) serialization for STIX 2.0 is JSON [RFC7159]. In other words, all STIX-conformant tools have to implement support for JSON and can implement support for other serializations.
JSON schemas have been developed by members of the Cyber Threat Intelligence Technical Committee and are available in the cti-stix2-json-schemas OASIS Open Repository [JSON Schema]. The JSON schemas are informative and serve as a best effort attempt to validate that STIX 2.0 content meets the structural requirements identified in this specification. This specification is the normative description of STIX 2.0.
STIX 2.0 is transport-agnostic, i.e., the structures and serializations do not rely on any specific transport mechanism. A companion CTI specification, the Trusted Automated Exchange for Indicator Information (TAXII™), is designed specifically to transport STIX Objects. STIX provides a Bundle as a container for STIX Objects to allow for transportation of bulk STIX data, especially over non-TAXII communication mechanisms.
Data markings represent restrictions, permissions, and other guidance for how data can be used and shared. For example, data may be shared with the restriction that it must not be re-shared, or that it must be encrypted at rest. Within the STIX 2.x specification there are two types of data markings: Object Markings and Granular Markings. Object Markings apply data markings to an entire STIX Object or Marking Definition and all of its contents. Granular markings allow data markings to be applied to individual portions of STIX Objects and Marking Definitions.
The Authoritative Versions of the current five-part STIX 2.0 versions can be found here:
STIX 2.0 Specification – WD03 – (CS)
- Part 1: STIX Core Concepts
- Part 2: STIX Objects
- Part 3: Cyber Observables Core Concepts
- Part 4: Cyber Observable Objects
- Part 5: STIX Patterning
The Authoritative Version of the current one-part TAXII 2.0 version can be found here:
TAXII 2.0 Specification – WD02 – (CS)
How Do I Demonstrate That My Product Meets STIX 2 Standards?
Product vendors or members of the CTI ecosystem can demonstrate compliance with STIX 2 & TAXII 2 through the STIXPreferred Program. This is a self-certification program that participants can use to demonstrate to the market that its products are interoperable and meet the minimum requirements of the standard. Test documents provide the details on the types of personas (e.g., data feed provider, threat intelligence platform, etc…) that can be tested and certified as either a Producer of SDOs or a consumer of SDOs. We have chosen to use the word ‘Respondent’ for consumers of SDOs as it is more comprehensive, given the wide range of personas using CTI.
The Authoritative Versions of the current test documents and the Operating Procedures for confirming compliance can be found here:
- STIX 2.0 Interoperability Test Document Part 1
- STIX 2.0 Interoperability Test Document Part 1 v1.1
- STIX 2.0 Interoperability Test Document Part 2
- STIXPreferred Operating Rules
This high-level view of STIX 2.0 represents the most important achievement in developing a Best Practice for CTI. A subsequent post will detail the progress towards the next major update to the MVP STIX 2 & TAXI 2 versions.