Mitre has developed a new draft standard called Structured Threat Information eXpressions (STIX). The framework focuses on making intel-sharing “wire-speed,” allowing defenders to more quickly react to threats. The initial version, an XML Schema, consists of eight components, including Indicator, Incident, Exploit Target, Campaign, and Threat Actor. Mitre’s early goal is to create a common language that would allow systems to seamlessly share this threat data with each other.
Oh, and there’s another DHS-based companion framework for the actual transmission of this threat data called … get this … TAXII or Trusted Automated eXchange of Indicator Information. These pseudo-government guys must spend a lot of time coming up with these sometimes silly- / sometimes genius-sounding acronyms. Anyway, all the usual suspects are supporting this standard (e.g., DHS, US-CERT, NIST, FS-ISAC, and big contractors) but it remains to be seen if STIX will become THE adopted intel-sharing standard or not.
When a company hit by a cyberattack shares some details of the attack with another firm, it typically gives them a call or shoots them an email with some intelligence on the malware or other fingerprints of the attack. It’s then up to the recipient to manually translate that information into a format it can use to automatically protect itself from falling prey to that attack.
That gap of time between receiving the intell and converting it into something useful can make all the difference in deflecting or mitigating an attack. To wit, an industry effort is under way to create a standard, machine-readable language that organizations can use to efficiently incorporate the latest threat information into their security infrastructures, called Structured Threat Information eXpression, or STIX.
“STIX is not a program or policy. It’s not a system or application. It’s not code or heuristics: It’s purely a language,” says Sean Barnum, a principal in cybersecurity at Mitre Corp., which is spearheading the project. “It’s a way of expressing and specifying cyberthreat information. You can then use it any way you want.”
What do you think about STIX? Post your comments below. Today’s post pic is from GovTech.com.