STIX-TAXII

Learn More About ThreatConnect's STIX-TAXII Capabilities

According to the 2015 Verizon Data Breach Investigation Report, 40% of attacks hit a second organization within an hour. Sharing threat intelligence and collaborating with your peers, vendors and partners, is not optional to protect your network. ThreatConnect® supports STIX (Structured Threat Information Expression™) and TAXII (Trusted Automated eXchange of Indicator Information™) standards in our platform.  We support these emerging standards in our industry to enable effective sharing of cyber threat data and allow our users to act on that data with our powerful API integrations with your SIEMs, firewalls, and other endpoint protection solutions. Let’s work together to make sure we stop breaches before they hit a second organization!

Threat Intelligence Platform

Using our fully integrated TAXII client, all ThreatConnect users may collect and send STIX formatted threat intelligence with their own cloud or on-premise ThreatConnect instance.  It enables information to be digested even faster, maximizing the time to identify and mitigate threats. ThreatConnect’s powerful combination of STIX and its API for machine sharing for human analysis creates a complete solution for all businesses and communities whether ISACs (Information Sharing and Analysis Centers), ISAOs (Information Sharing and Analysis Organizations), or a community formed by a single enterprise with its partners.

STIX is a language for having a standardized communication for the representation of cyberthreat information. Similar to TAXII (see below), it is not a sharing program or tool, but rather a component that supports programs or tools. One of the things that sometimes causes confusion with STIX constructs is whether to use incident or indicator. If you are aiming to provide a history for further analysis or follow-up, you have to use an incident construct. If you want to build a list of items to look for, use an indicator construct.

With 8 constructs:

  • Observable (activity)
  • Indicator (what to watch)
  • Incident (where)
  • TTP
  • Exploit Target
  • Campaign (why)
  • Threat actor – (who)
  • Course of action

TAXII (Trusted Automated Exchange of Indicator Info) – TAXII is not an information sharing program and does not define trust agreements. Rather, it is a set of specifications for exchanging cyberthreat information to help organizations share information with their partners.

TAXII has the following three sharing models:

  • Hub and Spoke: One central clearinghouse.
  • Source/Subscriber: One organization is the single source of information.
  • Peer-to-Peer: Multiple organizations share their information.