This is an exciting time for the Cyber Threat Intelligence Technical Committee (CTI TC) of OASIS. The CTI TC is the authoring organization for the Structured Threat Information Expression (STIX™) language and the Trusted Automated Exchange of Intelligence Information (TAXII) transport protocol.  STIX is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and how to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.

In response to lessons learned in implementing previous versions, STIX has been significantly redesigned and, as a result, omits some of the objects and properties defined in STIX 1.2.1. The objects chosen for inclusion in STIX 2.0 represent a minimally viable product (MVP) that fulfills basic consumer and producer requirements for CTI sharing. STIX 2.0 was approved as a CS in July 2017.  However, since it was released as an MVP the CTI TC has continued to work on the next version, STIX 2.1.

What is exciting about this time is that the public review period for the STIX 2.1 Committee Specification Draft 02 (CSDO2) closed on September 12, 2019.  At the same time Working Draft 08 of TAXII 2.1 will soon be put to a Ballot for establishment as a Committee Specification (CS).  The implications of this for the cyber threat analysis and intelligence sharing community will be discussed below.

STIX 2.1 CSD02

This version of represents a major revision that the TC expects to be stable for some time. With this revision we have a total of 18 STIX Domain Objects (SDOs) as follows in alphabetical order:

  • Attack Pattern
  • Campaign
  • Course of Action
  • Grouping
  • Identity
  • Indicator
  • Infrastructure
  • Intrusion Set
  • Location
  • Malware
  • Malware Analysis
  • Note
  • Observed Data
  • Opinion
  • Report
  • Threat Actor
  • Tool
  • Vulnerability

Of note, the Malware SDO can represent a single instance of malware or a family of malware.  And the Malware Analysis SDO represents the dynamic (i.e., behavorial) analysis that captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.

In addition, we have updated and added several meta objects and properties.  This includes an i18n meta object for human language translation (e.g., Japanese, French, etc..)  for the former and a required Confidence property for several SDOs for the later.

The TC will now go through a validation, completeness and interoperability demonstration for several of the SDOs after which we will finalize STIX 2.1 as a CS.  For all practical purposes this is a stable version that you can begin to code to.

Here is a link to the Zip file of the authorized version:

Handle with care.


TAXII 2.1 (CS01)

TAXII™ is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. The CTI TC 2.1 specification defines the TAXII RESTful API and its resources along with the requirements for TAXII Client and Server implementations.

With this version the following changes were made:

  • Pagination was refactored (FreeTAXII)
  • Delete Endpoint added (FreeTAXII, MITRE)
  • Versions Endpoint added (FreeTAXII, MITRE)
  • Added limit URL parameter (FreeTAXII)

Here is a link to the Zip file of the authorized version:

Handle this with care, too.


Comment on What to Expect in the Future

The CTI TC is almost 300 people strong with representatives from around the world.  It has worked tediously to create a robust framework that includes both the data model and the transport protocol.  It is intended to be flexible enough to satisfy the data modeling and information sharing needs of multiple communities of interest.  This revision signals a significant improvement over past versions and will likely be rapidly adopted by user communities that need a consistent and stable framework for guiding product development, mitigation strategies, training programs, remediation designs and many other use cases.

Don’t be left behind when this transformative standard leaves its mark on the world.