STIX And TAXII - Threat intelligence information must be distributed

STIX And TAXII

Threat intelligence information must be distributed as quickly as possible to others. To rely on email alerts that require a human to read them and then react takes far too much time. As an alternative, Automated Indicator Sharing (AIS) can be used instead. AIS enables the exchange of cyberthreat indicators between parties through computer-to-computer communication, not email communication. Threat indicators such malicious IP addresses or the sender address of a phishing email can be quickly distributed to enable others to repel these attacks.

Those participating in AIS generally are connected to a managed system controlled by the public information sharing center that allows bidirectional sharing of cyberthreat indicators. Not only do participants receive indicators, but they can also share indicators they have observed in their own network defenses to the public center, which then distributes them to all participants.

Two tools facilitate AIS. Structured Threat Information Expression (STIX) is a language and format used to exchange cyberthreat intelligence. All information about a threat can be represented with objects and descriptive relationships. STIX information can be visually represented for a security analyst to view or stored in a lightweight format to be used by a computer. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging cyberthreat intelligence over Hypertext Transfer Protocol Secure (HTTPS). TAXII defines an application protocol interface (API) and a set of requirements for TAXII clients and servers.

Description: Research the web to find more information on Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). How are they used? What formats do they provide? How widely are they used? What are their strengths and weaknesses?