DHS and MITRE to Transition STIX and TAXII to OASIS

"DHS LEADS EFFORT TO TRANSITION AUTOMATED CYBERSECURITY INFORMATION SHARING SPECIFICATIONS TO INTERNATIONAL COMMUNITY

We are pleased to announce today that the US Department of Homeland Security (DHS) intends to transition the STIXTM and TAXIITM specifications for the automated exchange of cybersecurity data to the Organization for the Advancement of Structured Information Standards (OASIS), a non-profit consortium that drives the development, convergence, and adoption of open standards for the global information society.

This transition is the culmination of three years of work in collaboration with the private sector to define, develop, and implement a robust set of technical specifications to advance the state of the practice in computer network defense. From the inception of these efforts, DHS has maintained that STIX and TAXII would be transitioned to an internationally-recognized standards development organization once the specifications reached an appropriate level of maturity. That day has come, and the transition to OASIS represents an exciting next step in the continued advancement and evolution of STIX and TAXII.

OASIS has an excellent track record in successfully transitioning accepted technical specifications to voluntary consensus standards and in recognizing and building on that existing work. In addition, the global membership of OASIS mirrors the diversity of the STIX/TAXII community and includes a wide variety of government entities, technology vendors, academic institutions, and end-user organizations that have been so critical to the success of the specifications. And finally, the selection of OASIS guarantees that the entire family of STIX/TAXII specifications will always be freely available to anyone around the world.

The transition of STIX and TAXII to OASIS will provide greater transparency and stakeholder participation in the development process which will help ensure the stability and continuing viability of STIX and TAXII as true international standards. These changes have the potential to significantly increase adoption and use of STIX and TAXII and thereby strengthen global cybersecurity practices.

This transition will allow DHS to concentrate our efforts on ensuring the widest and most effective implementations of STIX and TAXII to achieve our mission. We will continue to play an active role through our participation in OASIS, and we will continue to support the development of critical documentation, tools and application programming interfaces.

The only thing that is changing is that the direction of STIX and TAXII will now be in the hands of a robust global community committed to its success. We are confident that this transition will mark the beginning of an even more vibrant and successful cybersecurity ecosystem built on STIX and TAXII that will yield significant improvements in the overall security of our cyber infrastructure."

STIX and TAXII: On the road to becoming the de facto standard

The road to blissful cyber threat intelligence sharing often feels like a bumpy dirt track in a Wild West ghost town, but there’s hope on the horizon: A new language, designed to define and describe a broad swath of threat activity, is beginning to take shape. This language, known as STIX, and its transport method, called TAXII, offers security firms, industry, and government the promise of better and faster cyber threat intelligence sharing.

STIX and TAXII have been getting key support and backing from groups as diverse as the Department of Homeland Security, The MITRE Corporation, and members of various information security groups and vendors, including Blue Coat Systems. For the past 6 months, I have been heading up Blue Coat’s participation in this effort.

STIX (Structured Threat Information eXpression) is a language used to communicate a set of cyber threat intelligence idioms, including:

·      Threat Actors

·      Campaigns

·      Techniques, Tactics, and Procedures

·      Exploit Targets

·      Indicators

·      Incidents

·      Cyber-Observables

·      Courses of Action

TAXII (Trusted Automated eXchange of Indicator Information) is the preferred delivery mechanism for STIX data. Technically, TAXII is a lightweight XML-over-HTTP transport protocol, specifically designed to deliver STIX data. TAXII allows publishers to share STIX data with (and, optionally, get STIX data from) subscribers, or for peers to share STIX data with other peers.

The STIX and TAXII standards have matured well beyond their initial drafts and first release in 2013. In fact, major vendors are lining up to announce support and governments, incident responders and CERTs, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Industrial Control Systems Information Sharing and Analysis Center (ICS-ISAC) (to name a few) have already started using STIX and TAXII in their production environments.

With all new technologies and community driven efforts, there inevitably comes a point when someone asks the question "when will this move to an official international standards body?" It is my opinion that moving right now to an international standards body would just inhibit development and slow down adoption. For the past two years, the amazing grassroots efforts of MITRE and DHS – with the help of FS-ISAC – have produced remarkable results.

In my opinion, four issues are slowing down the adoption of STIX and TAXII as the de facto standard:

Item 1: The absence of a hardened, full-featured, open source, Berkeley Software Distribution (BSD) licensed, TAXII server that end users, enterprises, and vendors can easily use and adapt for their needs. A project currently underway at FS-ISAC called Avalanche may solve this need, in the end. We need the TAXII equivalent of a FreeRADIUS server.  It would be nice if it were highly efficient, fully featured, and written in a compiled language for performance reasons.  

Item 2: Better support for creating and interpreting STIX packages. MITRE has done a lot of good work on creating and maintaining Python APIs, and there are some up and coming Java APIs. However, additional language support is needed; Hopefully, the community will create additional bindings. Part of the issue comes from the debate among contributors about the format that the data will eventually take: XML, JSON, or Cap'n Proto. In my experience, most academics love XML, and most developers ask for anything but XML.

Item 3: A fully featured, standalone GUI client or application – or a combination of the two – that will allow someone to manually create and/or understand STIX packages from their computer and/or mobile device. Even though you can publish STIX data via TAXII, I still see people posting cyber threat information on their Web site, FTP server, or via an RSS feed.  We really need a way of reading those packages and being able to update/change them and re-publish the results back in STIX format. It would be great if this GUI tool could also talk to a remote TAXII server and query it by asking "give me information you have about 'foo' and 'bar'". Having access to a tool like this would make it a lot easier for someone researching issues they see in their own network.   

Item 4: My personal wish item is an analytics tool for the cyber threat data itself.  Once you start collecting large repositories (millions of indicators or bigger) of STIX data.  As repositories of indicators increase in size, it becomes difficult to see the big picture. Imagine having the ability to run some sort of analytics tool on top of your cyber threat intelligence data to make sense of it all: Something that can build correlations while visually helping you research and understand the threat data you have. I could see someone taking a tool like this and overlaying their own traffic to answer interesting questions like 'what types of threat data are actually found in my network?’ and ‘what other entities are seeing the same types of data?' (said another way, 'what threat feeds are the most relevant for my network?').

With every user that jumps on board, every vendor that comes to the table, and—as owners of large cyber threat data decide to play—everyone wins and becomes more secure. As a result, that deserted bumpy road of cyber threat intelligence sharing in the middle of a Wild West ghost town will no longer be deserted, and will become a smooth paved boulevard of information exchange.

Eventually, STIX and TAXII will evolve into the de facto standard because it is the first standard collaboratively created by the people that actually WANT to share and WILL share critical cyber threat intelligence.