EclecticIQ

White Paper
STIX 2.1
Build your own intel
Why STIX?
The computer security industry realised many years ago that
the existing techniques that organizations were using to defend
themselves weren’t working. Attackers were bypassing de-
fences and moving through our networks at will, blending into
the multitude of applications and services running on modern
corporate networks. Something had to change.
The release of STIX 1.0 in April 2013 drove the creation of new
products such as EclecticIQ Platform. These new, STIX enabled
products allow organizations to crowdsource their threat in-
telligence. Using the collective power of the threat intelligence
sharing community, participants can analyse new threats, and
share their findings with community members.

Defenders realized that there was strength in numbers. They

recognized that if they shared with each other information
about the attempted intrusions they experienced, they would
be better prepared to detect and respond to those attacks. The
threat intelligence sharing community was born.

Sharing was done over email, phone calls and wiki pages. Com-
munity members provided information about what they were
seeing and how best to respond. This model of communication
was adequate at the start, but something different was needed
for large sharing communities with a greater quantity of threat
intelligence being shared. Experts realized that automation was
essential for an effective defense.

The push for automation drove the creation of the Structured

Threat Information eXpression (STIX) standard. Developed by a
community overseen by the US Department of Homeland Secu-
rity, STIX enabled organizations to share their view of the threat
intelligence space in a coherent and detailed way. With STIX
participants can convey to others in the sharing communities
what they thought was the truth about threats.

1 © 2018 EclecticIQ B.V.

STIX 2.1 | White Paper

The new STIX 2.1

With greater use of STIX realised that some of the STIX 1.x
design choices restricted its usefulness. The community
overhauled STIX to make it more effective and flexible,
restarting the design from a blank slate based on what
had been learnt using STIX 1.x. The designers of STIX 2.1
intended to develop a set of flexible building blocks that
content creators could use to model what was happening
in the actual practice of threat intelligence.

STIX 2.1 highlights include:

• Improved efficiency with JSON data-interchange

format instead of XML.

• Greater flexibility through the ability to establish

relationships between any two data objects, even
of different types. This removes the restrictions
from STIX 1.x.

• Builds upon community knowledge by allowing

analysts to establish relationships with data objects
provided by other community members and
data providers.

• Consensus-building capability allows multiple

organizations to relate the same entities together.
Analysts can see the extent to which community
members agree that relationships exist, and weight
those relationship more strongly.

• Fully modular deployment options, allowing

organizations to pick the capabilities they wish to use.

• Simpler to understand, implement and use.

As you can see from the diagram, STIX 2.1 has a lot more
objects to choose from than STIX 1.2, and much greater
flexibility in how it can be used.

2 © 2018 EclecticIQ B.V.

STIX 2.1 | White Paper

STIX 1.2 Architecture

Report

Threat Actor Campaign TTP Indicator Incident Exploit Target Course of Action

EVIL GOOD

Observable Data

STIX 2.1 Architecture

Report

Threat Actor Intrusion Set Attack Pattern Indicator Identity Location Note

Campaign Malware Tool Vulnerability Opinion Course of Action

EVIL GOOD

Observable Data Sighting

3 © 2018 EclecticIQ B.V.

STIX 2.1 | White Paper
What can STIX 2.1 share?
STIX 2.1 has been designed to be as modular and flexible
as possible by drawing upon the “graph” abstract data type,
a powerful concept in computer science that allows the
representation of entities (“graph nodes”) and their relation-
ships (“graph edges”). In the terminology of STIX 2.1, the
graph nodes are called STIX Domain Objects (SDOs), and the
graph edges are called STIX Relationship Objects (SROs).
Using SDOs and SROs as building blocks, individuals can
create and share broad and comprehensive cyber threat
intelligence.
A description of each object category follows:
STIX Domain Objects
STIX Domain Objects describe things. A list of SDOs
is below:
• Attack Pattern - A particular way that adversaries at-
tempt to compromise targets
• Campaign - A grouping of adversarial behaviors that
describes a set of malicious activities or attacks (some-
times called waves) that occur over a period of time
against a specific set of targets
• Course of Action - An action taken either to prevent an
attack or to respond to an attack that is in progress.
• Identity - The identity claimed by an individual or organ-
ization
• Indicator - A pattern that can be used to detect suspi-
cious or malicious cyber activity
• Intrusion Set - A grouped set of adversarial behaviors
and resources with common properties that is believed
to be orchestrated by a single organization. This object
is designed to be used as a grouping mechanism, to
allow an organization to keep track of all the things that
seem to be related together
• Location - Represents a geographic location
• Malware - Malware used in an attack
• Note - intended to convey informative text to provide
4 © 2018 EclecticIQ B.V.
further context and/or to provide additional analysis
not contained in the STIX Objects, Marking Definition
Objects, or Language Content Objects which the Note
relates to
• Observed Data - Real extracts from actual data observed
during an attack. Can be IP addresses, domain name,
packet captures or anything else recordable within
CybOX 3.0
• Opinion - An assessment of the correctness of the infor-
mation in a STIX Object produced by a different entity
• Report - The STIX equivalent of a PDF report. Is a point
in time release of a set of data grouped into a single
report
• Threat Actor - Actual individuals, groups, or organiza-
tions believed to be operating with malicious intent
• Tool - legitimate software that can be used by threat
actors to perform attacks
• Vulnerability - A vulnerability that can be exploited by an
attacker during an attack to gain a foothold in a victim
organization
STIX Relationship Objects
STIX Relationship Objects relate STIX Domain Objects
together. A list of SROs is below:
• Relationship - The generic relationship object that can
connect any STIX Domain Objects to any other STIX
Domain Objects
• Sighting - The specialized Sighting relationship object is
a special case relationship object, used only to describe
relationships between any object and a Observed Data
object. This special relationship was designed to relate
multiple Observed Data objects to a single Indicator, and
was developed from a desire to reduce the impact of the
Observed Data to Indicator relationship, which is likely
to be the most numerous relationship within STIX
STIX 2.1 | White Paper

What can STIX 2.1 share?

What’s coming in STIX 2.1?

Features being discussed for inclusion in STIX 2.1 include:

• Confidence levels

• Internationalisation

• Addition of the Opinion object

• Addition of the Intel Note object

• Ability to specify Location

• Addition of the Infrastructure object to describe mali-

cious infrastructure

• Ability to describe Malware and Malware Families

• OpenC2 security automation support to automate

response

• The ability to group objects

• More detailed restrictions on use through support for

the Information Exchange Policy (IEP) framework

• STIX Patterning enhancements

• Classifications / Risk scores

• Digital Signatures

• Risk Scores

The above list is in active development and is subject

to change.

5 © 2018 EclecticIQ B.V.

STIX 2.1 | White Paper
This paper was written by Terry MacDonald of Cosive in Australia.
The Cosive team represents EclecticIQ in Australia and New Zealand
and supports both our development team and the STIX community
in various ways.

EclecticIQ is an applied cyber intelligence technology

provider, enabling enterprise security programs and governments to
mature a Cyber Threat Intelligence (CTI) practice, and empowering
analysts to take back control of their threat reality and to mitigate
exposure accordingly.

EclecticIQ’s mission is to restore balance in the fight against cyber

adversaries. Its flagship product, EclecticIQ Platform, is a Threat In-
telligence Platform (TIP), which enables operationalization of securi-
ty information exchange, empowers collaborative analyst workflow
and ensures timely integration of cyber threat intelligence detection,
prevention and response capabilities. EclecticIQ Fusion Center is an
intelligence solution that enables the acquisition of thematic bun-
dles of cyber threat intelligence from leading suppliers, open source
and communities with a single contract and unified delivery.

EclecticIQ operates globally with offices in Europe, United Kingdom,

and North-America, and via certified value-add partners.

www.cosive.com
www.eclecticiq.com

This document is licensed under a Attribution-

NonCommercial-ShareAlike 4.0 International License.

6 © 2018 EclecticIQ B.V.