The UK Government has agreed on a way to document and share cybersecurity threat information in a machine-readable digital format. Last month, it announced that it has chosen two digital standards: the Structured Threat Information Expression (STIX 2) and the Trusted Automated Exchange of Indicator Information (TAXII 2).
Created by nonprofit standards body OASIS, STIX 2 and TAXII 2 are two related standards that make it easier to share cybersecurity threat and incident information.
STIX 2 makes cyber-threat information machine readable by encoding it in a standard format. It describes a range of different cybersecurity entities including attack patterns, campaigns, identities, indicators of compromise, specific malware, and threat actors. It has gained significant traction and has now absorbed the Cyber Observable eXpression (CyBox) language for describing cybersecurity incidents.
TAXII 2 is a protocol for exchanging threat information between systems, eliminating the need for cumbersome emails. The Cabinet Office hopes that using it will reduce threat response times.
STIX and TAXII are now the lingua franca for UK government departments to share information between each other, and with industry and international partners.
“Other governments already use STIX 2 and TAXII 2,” the Cabinet Office said. “Security technology suppliers are also starting to use these standards. Wider use of these standards makes it easier to share analysis of threat intelligence.”
Information sharing protocols are not just for governments, though. Several initiatives have popped up supporting STIX 2 and TAXII 2.
Mitre, which created the human-readable Common Vulnerabilities and Exposures (CVE) database, created the Collaborative Research into Threats (CRITS) project. This open-source malware and threat repository targets analysts and security experts.
Since October 2018, the Canadian Cyber Threat Exchange (CCTX) has sourced threat intelligence information as a digital feed from the Canadian government’s Canadian Centre for Cyber Security. This is available to CCTX members in STIX/TAXII format.
Facebook operates its own information sharing initiative called ThreatExchange, which uses the Facebook graph API instead of the OASIS standards. CRITS developed a link to ThreatExchange.
As developed digital threats grow in volume and complexity, we need these automated information sharing systems to help keep everyone ahead of cyber-criminals.
The topic of Incident Response & Security Operations will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Incident Response & Security Operations here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.