Structured Threat Information eXpression (STIX)

As we enter a new year, there is acronym that you need to be familiar with: STIX.  STIX is the  Structured Threat Information eXpression language; it is not a program, policy, system, or application.  It is XML for security.

The goal of STIX is to automate the sharing of cyber attack information.  And, while the language is new, the concept is not.  In fact, we’ve already been down this path at least twice before.  ‘First’ (though there may have been earlier efforts) we had IODEF, Incident Object Description Exchange Format (RFC 5070) in December 2007.  Then we had RID, Real-time Inter-network Defense (RFC #6046) in November 2010.

So, while there is clearly a need to automate this type of information, why would we except that STIX will be any more ‘widely’ (not really) implemented than either IODEF or RID have been to date?  While STIX does apparently have some significant backers (e.g., DHS, US-CERT, NIST, FS-ISAC, DTCC, General Dynamics, Lockheed Martin, NATO, and the World Bank), that list of backers looks decidedly US-centric.  Additionally, backers are not as important as adopters – both vendors and customers.  And, to my knowledge, STIX has not been submitted to the IETF either.  Furthermore, STIX relies on a new transport mechanism, TAXII (Trusted Automated eXchange of Indicator Information).

“TAXII™ is a set of technical specifications and supporting documentation that enable organizations to exchange cyber threat information in a secure, automated manner. TAXII is not a specific information sharing initiative nor an attempt to define trust agreements, governance, or other non-technical aspects of cyber threat information sharing. Instead, TAXII empowers organizations to achieve improved situational awareness about emerging threats, and enables organizations to easily share the information they choose with the partners they choose.

TAXII is the main transport mechanism for cyber threat information represented as Structured Threat Information Expression (STIX™). Through the use of TAXII services, organizations can share cyber threat information in a secure and automated manner.”

So, the need for automating this type of data so that it is machine readable is very real, and a solution is overdue.  The question is: is STIX the answer?