STIX and TAXII: New weapons in the security battle
The scenario is depressing and all too common: the Bad Guys -- state actors, criminal gangs, script-kiddies -- launch an attack, make off with a bundle, and then repeat the attack dozens, perhaps hundreds of times. How does that happen?
It happens because the Good Guys aren't communicating the details of the threat and the actions needed to defeat it. A guy at a NOC might call his colleague and warn him, or tell his security vendor to update their profiles, but that's about it.
I spoke to Brett Jordan of Symantec, editor of the STIX spec and co-chair for TAXII, about how STIX and TAXII aim to change that. They're two standards whose development is supported by the major security industry players, including IBM, HPE, Cisco, and Dell, large financial institutions, and the US government, including the Department of Defense and the NSA.
What is STIX?
Structured Threat Information eXchange is an edge-and-node based graph data model. The nodes are STIX Data Objects (SDO) and the edges are STIX Relationship Objects (SRO).
The SDOs include information such as:
- Attack Pattern
- Identity
- Observed Data
- Threat Actor
- Vulnerability
The SROs -- the edges -- are meant to connect SDOs so that, over time, users will be able to develop in-depth knowledge of threat actors and their techniques. STIX v2 will be out before the end of the year, and vendors are already working to support it based on draft versions.
What is TAXII?
From the TAXII GitHub siteTAXII (Trusted Automated eXchange of Indicator Information) looks
. . . to standardize the trusted, automated exchange of cyber threat information. TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries for the detection, prevention, and mitigation of cyber threats.
STIX is the critical threat information. TAXII is the protocol to communicate it.
Implementation
Users and security vendors will participate in giving life to the specifications. Users will be able to pass anonymized data to their security vendors, and the vendors will be able to rapidly share threat information. You'll still buy security services, but those services will be much more effective as part of a community sharing threat and defense data in real time.
The goal
Cybercrime is incredibly profitable, which feeds a vicious cycle where the profits enable building more sophisticated attacks. But like any product, sophisticated malware has to be profitable.
Today, a single attack vector can be used dozens or hundreds of times, making it extremely profitable. But if a new attack vendor could be neutralized after one or two attacks, profitability would nosedive, making it harder to justify the effort needed for more sophisticated attacks.
Of course, a different calculus applies to state actors. Once implemented, a vigilant community will force them to use their cyber weapons with greater care, hopefully minimizing collateral damage.
The Storage Bits take
As initiatives such as STIX and TAXII kick in over the next decade, we can start to take back the internet from the bad guys. If your company has a security vendor that you talk to, ask them about STIX and TAXII, and how they are planning to use it. Every vendor needs the encouragement of customers to justify timely action!
Courteous comments welcome, of course. Learn more at these links: STIX 2.0 core spec. OASIS Cyber Threat Intelligence (CTI) Technical Committee github. OASIS open standards website.
Google's 2016 web security report: 32 percent more websites were hacked: