Hint: we are not talking about the band, or the type of transit you take home from a long night at the bar. STIX & TAXII are two fairly new specifications in the cyber security world to which many either have not heard of, or know very little about. If you happen to know even the basic principles of why these standards were created, then you are already ahead of the game, and I applaud you. Covered in this blog is information on the inception of STIX & TAXII; how they are used; the mindset behind them; and how they are implemented. “Kill-Chain” is covered briefly to provide an overview of what it is and how STIX & TAXII fit in. Also included, is information covering the Cybersecurity Information Sharing Act of 2015 (CISA) ((S.754 – 114th Congress (2015-2016) and the government’s role in cybersecurity information sharing.
Let’s first take a step back and break down these long acronyms. STIX stands for the Structured Threat Information eXpression. TAXII refers to the Trusted Automated eXchange of Indicator Information. Although you may not remember the acronyms, hopefully after reading this paper you gain a better understanding of the thought process behind STIX & TAXII and how it is making its way into the technology industry.
So where did these specifications originate? STIX is the result of both the Department of Homeland Security US-CERT and CERT.org discussions in 2010 that revolved around automating data exchange for cyber incidents. STIX is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner; hence it being very concise. Since the inception of STIX & TAXII, the Department of Homeland Security has transitioned work to the OASIS Cyber Threat Intelligence (CTI) Technical Committee. This committee is made up of a number of organizations around the world to develop and promote standards that enable cyber threat intelligence to be analyzed and shared with trusted partners and communities. This is extremely important as it ensures a type of “checks and balances” approach. Gathering information and collecting input from various sources is a much better approach than having one organization dictate what is in store.
The basis of the architecture was to ensure everyone was on the same page in regards to defining what information should be included within a structured cyber threat indicator and what shouldn’t be. As the initial structure progressed and gained momentum, other interested parties began joining in, ironing out the details, and making collaborative changes. It is because of all of the discussions and collaborating that a XML schema implementation of STIX architecture was born.
TAXII, on the other hand, is a set of specifications to help standardize the trusted, automated exchange of cyber threat information led by the DHS (Departments of Homeland Security) and the MITRE Corporation. In today’s world, sharing threat information is extremely challenging. Sharing threat information is either done manually or by separate, community-specific automated solutions, which in turn is extremely time-consuming and costly. TAXII provides an automated way to share cyber threat information vastly with partners and communities who choose to share information. So if you are wondering if STIX & TAXII are relative, it’s because they are. STIX is the language, while TAXII is the vehicle that makes communication possible.
Up until recent times, complex well thought out attacks were far and in between. In today’s world they are a common occurrence plaguing enterprises around the world. The term “kill chain” is something you might have heard of in passing, or something you may be extremely familiar with. The term was originally used as a military concept relevant to the structure of an attack. A well known company, Lockheed Martin, adapted this concept to information security using it as a tool to explain intrusions on a computer network. Since then, the term has been adopted by many and is used throughout the industry. It is important to have an idea of what the “kill chain” is, because it ultimately provides some insight into how STIX & TAXII play a role.
The cyber “kill chain” can be categorized differently depending on who is speaking to it and what their interpretation is. None the less, the principles remain the same. Lockheed Martin defined the “Cyber Kill Chain” with the following flow: (1) Reconnaissance, (2) Weaponization, (3) Delivery, (4) Exploitation, (5) Installation, (6) Command & Control, and (7) Action on Objectives. I won’t be going through each in detail, but you can see this provides a pretty good template on how a cyber attack unfolds.
Incident response efforts to this point, have taken place after the exploit stage has taken place. This means the attack has progressed to the point where the attacker has found a vulnerability and is able to execute potentially devastating code. The tools found in an organization today, although resourceful, tend to respond to incidents after the exploit has already occurred. This can be extremely time consuming and include a wide range of negative impacts including degraded performance, downtime, financial loss, tarnished reputation and, well… you get the picture. Digging to find the cause and remove the “infection” is resource intensive and can ultimately become quite costly.
Enter STIX & TAXII. In an effort to be proactive and move the needle away from incident response and toward incident prevention, STIX & TAXII play a key role. Knowing full well there is no “silver bullet” in regards to protection, STIX & TAXII help by providing the ability to share threat information quickly and robustly, providing for a more complete picture, or understanding, when it comes to threat intelligence. This is only valuable of course, if information is being provided by various sources. Wouldn’t it be great if Enterprise A’s IDS caught something and shared that information with others? Ultimately helping Enterprise B protect against that same exact threat? While this all sounds great in theory, one issue we are currently seeing is that people generally don’t like to share. Sharing means using time and resources, and most are just not that willing to do such a thing; specifically, because there is no real incentive in sharing information. One thing is for sure, with the Internet of Things (IoT) being a major topic across the industry, it simply enforces the fact that threat intelligence needs to be shared and made available for the greater good. Using our homes as an example, we are seeing a drastic change in how electronics communicate. Everything from TV’s to refrigerators now have an IP address and have access the internet; meaning they are vulnerable. STIX & TAXII will help help allow these devices be better protected from possible attacks, and they ultimately may have been spared because of cyber threat information received from someone else.
Of course sharing information requires going over what you want to share and defining what you are willing to let others see. While this doesn’t mean sharing confidential information; it means coming up with a way to standardized threat information you feel will benefit the community as a whole. So how is information shared? Well, TAXII has three different sharing models: Hub and Spoke, Source/Subscriber, and Peer-to-Peer. You have the ability to decide how you want to share information as well as determine who you want information from; as long as they are participating of course.
In a personal opinion, there are some issues, as with all new things, that I believe will ultimately be addressed or modified at some point. One being that TAXII currently defines XML messages over HTTP(S), and looks at the complete file, rather than specific information the subscriber may be looking for. I like to think STIX & TAXII are similar to to RIPv1 – ultimately waiting to be evolved into a more sophisticated protocol.
At the end of the day STIX & TAXII are great in theory but can only be as successful as the communities and individuals who participate. If no one is willing to share, then it becomes useless; but, if sharing is encouraged, the wealth of threat intelligence information can be extremely helpful and provide the ability to detect threats before they hit the dreaded exploit stage of the “kill chain.” The benefits in this case are easy to see; time savings, money savings, and potentially your reputation.
President Barack Obama called the cyber threat we face “one of the most serious economic and national security challenges we face as a nation.” – The White House, Office of the Press Secretary, Remarks by the President on Securing Our Nation’s Cyber Infrastructure (May 29, 2009).
Signed into law on December 28, 2015, the Cybersecurity Information Sharing Act of 2015 (CISA) shows the government’s awareness of the cybersecurity issue that faces our nation, and the need for shared cyber threat intelligence. The act is the government’s way of helping bridge the gap between the federal government and the private sector when it comes to sharing cybersecurity information. The DHS recently made headway by releasing initial guidelines for cyber threat information this past February. To ensure the exchange of cybersecurity information in a timely manner between the federal government and the private sector, the DHS has developed the Automated Indicator Sharing (AIS) initiative.
Although it is nice to see the government recognizing the need for shared threat intelligence and providing classified threat intelligence information like they do in its Enhanced Cybersecurity Services (ECS) program, it should also be kept in check to always ensure they are not overstepping their bounds. Right now it looks like all the right moves are being made. The ECS program allows the private sector to obtain government classified threat intelligence information to use as they wish, without it being forced on them.
While STIX, TAXII and CISA are ways to help the private sector and federal government standardize the sharing of threat intelligence, ultimately creating a web of information; it will be up to the vendors, enterprises, ISP’s, and various communities to share the cyber threat intelligence they have collected to get the most out of it. One thing everyone can count on moving forward, is more advanced, intelligent cybersecurity threats increasing over time. Sharing threat information has never been more relevant and has never been more important than it is right now.