Beruflich Dokumente
Kultur Dokumente
White Paper
STIX 2.1
Build your own intel
Why STIX?
The computer security industry realised many years ago that The release of STIX 1.0 in April 2013 drove the creation of new
the existing techniques that organizations were using to defend products such as EclecticIQ Platform. These new, STIX enabled
themselves weren’t working. Attackers were bypassing de- products allow organizations to crowdsource their threat in-
fences and moving through our networks at will, blending into telligence. Using the collective power of the threat intelligence
the multitude of applications and services running on modern sharing community, participants can analyse new threats, and
corporate networks. Something had to change. share their findings with community members.
Sharing was done over email, phone calls and wiki pages. Com-
munity members provided information about what they were
seeing and how best to respond. This model of communication
was adequate at the start, but something different was needed
for large sharing communities with a greater quantity of threat
intelligence being shared. Experts realized that automation was
essential for an effective defense.
As you can see from the diagram, STIX 2.1 has a lot more
objects to choose from than STIX 1.2, and much greater
flexibility in how it can be used.
Report
Threat Actor Campaign TTP Indicator Incident Exploit Target Course of Action
EVIL GOOD
Observable Data
Report
Threat Actor Intrusion Set Attack Pattern Indicator Identity Location Note
EVIL GOOD
as possible by drawing upon the “graph” abstract data type, not contained in the STIX Objects, Marking Definition
a powerful concept in computer science that allows the Objects, or Language Content Objects which the Note
ships (“graph edges”). In the terminology of STIX 2.1, the • Observed Data - Real extracts from actual data observed
graph nodes are called STIX Domain Objects (SDOs), and the during an attack. Can be IP addresses, domain name,
graph edges are called STIX Relationship Objects (SROs). packet captures or anything else recordable within
Using SDOs and SROs as building blocks, individuals can CybOX 3.0
create and share broad and comprehensive cyber threat • Opinion - An assessment of the correctness of the infor-
• Identity - The identity claimed by an individual or organ- • Relationship - The generic relationship object that can
cious or malicious cyber activity • Sighting - The specialized Sighting relationship object is
• Intrusion Set - A grouped set of adversarial behaviors a special case relationship object, used only to describe
and resources with common properties that is believed relationships between any object and a Observed Data
to be orchestrated by a single organization. This object object. This special relationship was designed to relate
is designed to be used as a grouping mechanism, to multiple Observed Data objects to a single Indicator, and
allow an organization to keep track of all the things that was developed from a desire to reduce the impact of the
• Location - Represents a geographic location to be the most numerous relationship within STIX
• Confidence levels
• Internationalisation
• Digital Signatures
• Risk Scores
www.cosive.com
www.eclecticiq.com