The cyber threat landscape is rapidly evolving. New cyber threats as well as vulnerabilities emerge at a great pace and become more severe and persistent. Furthermore, due to the dynamic nature of modern cyber threats, they are becoming more autonomous and complex and they are thus able to use more sophisticated techniques to exploit the target system.

In order to cope effectively with the rapidly evolving landscape of cyber threats, cybersecurity professionals exchange Cyber Threat Intelligence (CTI). CTI is organised knowledge concerning cyber threats and vulnerabilities that has been properly collected, evaluated and analysed using specific rigorous analysis techniques by cybersecurity experts. Although CTI facilitates cybersecurity professionals in dealing with cyber threats, certain actions such as automated exchange, storage and analysis of these information remain complicated.

Hence, a structured representation of CTI according to a common standard is essential in order to facilitate and speed up the sharing process as well as enhance its efficiency. Among the various CTI standards, the two most popular and widely used is the OpenIOC and the Structured Threat Information Expression (STIX).

OpenIOC, developed by Mandiant, is an extensible XML schema containing technical characteristics that identify a known threat, an attacker’s methodology or other evidence of a compromise.

STIX is a language and serialisation format used to exchange cyber threat intelligence. It is expressive, as it includes IOCs and additional cyber threat information, such as techniques and procedures, indicators, cyber observables, campaigns and threat mitigations. Furthermore, it is flexible given that it can be extended with custom user-defined fields. The latest version of STIX (2.x) is defined using JSON schemas, thus rendering it easier to parse and expand than its XML-based predecessor (STIX 1.x).

STIX CTI is exchanged using the Trusted Automated Exchange of Intelligence Information (TAXII) protocol. TAXII is an application protocol which is used to exchange CTI that is described in STIX using HTTPS. Using TAXII, organisations are able to exchange CTI by defining an API that aligns with common sharing models (e.g. hub-and-spoke, peer-to-peer, source-subscriber).


Arnold Spyros
InnoSec, Greece