Introduction

In this installment of ITSEC101, I will discuss a useful standard to assist defenders with sharing threat intelligence, the Structured Threat Information Expression (STIX) standard.

STIX defines a way to structure threat intelligence data, making it easier to analyze and share the information. It was originally developed by the US Dept. of Homeland Security (DHS), and was transitioned in collaboration with MITRE to the Organization for the Advancement of Structured Information Standards (OASIS) in 2015.

As of the writing of this article, the current version is STIX 2.1.

STIX Explained

STIX is a standard lexicon for describing cyber threat intelligence (CTI) types and the relationships between them. Its purpose is to assist defenders with effectively detecting, analyzing and sharing cyber threats.

STIX uses JSON for formatting its data, allowing it to be easily shared and processed by disparate systems.

Version 2.1 is comprised of eighteen STIX Domain Objects (SDOs) that represent the CTI types, and two STIX Relationship Objects (SROs) that are used to describe the connections between them.

To help explain SDOs and SROs, the below table lists each with their description.

The SROs

Paired Columns

SRO

Description

Attack Pattern

This describes the categorization of common tactics, techniques, and procedures (TTPs) as they relate to how they are used by threat actors.

Campaign

This describes the behaviors of threat actor against their victim over a specific period of time.

Course of Action (CoA)

This describes the preventive and reactive actions taken to mitigate a threat.

Grouping

This describes a collection of related threat intel components.

Identity

This describes individuals or groups such as threat actors, service providers, and victims.

Indicator

This describes observable, suspicious activity on or host or within a network.

Infrastructure

This describes resources used by threat actors.

Intrusion Set

This describes tactics, techniques and procedures (TTPs) consistently used by a threat actor over time.

Location

This describes the geographic region relevant to cybersecurity operations.

Malware

This describes specific malicious software used by a threat actor.

Malware Analysis

This describes the documented technical examination of malware samples (i.e., reverse engineering, behavior analysis, etc).

Note

This provides a space for additional commentary for threat intel objects.

Observed Data

This describes the raw data collected from events, such as logs, metadata, etc.

Opinion

This describes an analyst's assessment or perspective a threat intel object.

Report

This describes a structured collection of threat intel objects for review and presentation.

Threat Actor

This describes individuals or groups responsible for cyberattacks, including motivation and affiliation.

Tool

This describes software used during cyber operations, be it malicious or legitimate.

Vulnerability

This describes system weaknesses that can be exploited by threat actors.

The SROs

Paired Columns

SRO

Description

Relationship

This describes the connection between SDOs.

Sighting

This describes a real-world instance of an observed SDO.

STIX in Action

Here is a simple, fictitious example to illustrate how SDOs and SROs relate.

Paired Columns

Source SDO

Relationship SRO

Target SDO

Threat Actor

Uses

Malware

Monkey Maruaders

Uses

BananaBomb

Here it is represented in STIX JSON format. Note the use of UUIDs represented by a string of letters, numbers and hyphens.

This JSON block represents the Threat Actor SDO:

{
"type": "threat-actor",
"id": "threat-actor--a23b4567-89cd-0123-ef45-6789abcdef01",
"name": "Monkey Marauders",
"description": "A loosely organized cybercriminal group known for chaotic and unpredictable attacks targeting social media platforms and e-commerce sites.",
"aliases": ["Cyber Chimps", "Banana Bandits"],
"roles": ["hacker", "financial criminal"],
"goals": ["disrupt online services", "data theft"],
"sophistication": "intermediate"
}

This JSON block represents the Malware SDO:

{
"type": "malware",
"id": "malware--7c8912de-456f-789a-bc01-23456789abcd",
"name": "BananaBomb",
"description": "A mischievous malware that spreads via phishing campaigns, locking users' browsers with endless monkey-themed pop-ups.",
"malware_types": ["adware", "trojan"],
"is_family": false
}

This JSON block represents the Relationship SRO:

{
"type": "relationship",
"id": "relationship--456789ab-cd01-2345-6789-abcdef012345",
"relationship_type": "uses",
"source_ref": "threat-actor--a23b4567-89cd-0123-ef45-6789abcdef01",
"target_ref": "malware--7c8912de-456f-789a-bc01-23456789abcd"
}

Conclusion

STIX offers a standardized framework to describe real-world cyber threats in a format that is easy to analyze and share. It is designed to be flexible and can further be extended for additional functionality, without losing the base structure. It is another useful resource that allows defenders to identify threats, and collaborate with outside organizations to help strengthen the resiliency of the entire cyber defense community.

Daily Cuppa

Today’s cup of tea is Organic Vanilla Rooibos provided by Equal Exchange. Organic, fare trade, and full of delicious aromas and flavor.

If you found this article useful, or enjoy the site in general, feel free to buy the author a cup of tea.
The author is also available for work.

IT Security 101: the Structured Threat Information Expression (STIX) Standard

Introduction

STIX Explained

The SROs

The SROs

STIX in Action

Conclusion

Daily Cuppa

IT Security 101: Data Loss Prevention (DLP)

Fun with Python: File Hashing v2