© Crown copyright 2022
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: email@example.com.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/open-standards-for-government/exchanging-cyber-threat-intelligence
Use the Structured Threat Information Expression (STIX 2) standard and the Trusted Automated eXchange of Indicator Information (TAXII 2) standard to analyse and share intelligence between government departments, industry and international partners.
1. Summary of the standards’ uses for government
When you use a cyber threat intelligence system, you must use the STIX 2 and TAXII 2 standards. Users of the STIX 2 and TAXII 2 standards are:
- analysts involved in threat intelligence and security operations centres
- operators and administrators of security enforcing technology
The standards change cyber threat intelligence to a machine-readable format. This increases the capability for machine-to-machine automated information exchange. This speeds up the threat response and also makes the intelligence more readable for users.
2. How these standards benefit users
STIX 2 describes cyber threat intelligence in a repeatable way that both users and machines understand. TAXII 2 provides the ability for you to share timely intelligence with relevant user groups in a standardised format.
Both STIX 2 and TAXII 2 help you to reduce manual administration of cyber threat intelligence. For example:
- the STIX 2 format reduces the need for you to create documents in multiple formats
- TAXII 2 reduces the need for you to distribute information by email
Other governments already use STIX 2 and TAXII 2. Security technology suppliers are also starting to use these standards. Wider use of these standards makes it easier to share analysis of threat intelligence.
These standards provide a way to link indicators of compromise (evidence of a cyber attack) to tactics, techniques and procedures (the techniques regularly used by threat actors or groups of threat actors). This will allow you to:
- identify the source of a cyber attack
- Increase the view of the threats your organisation faces
- link previously un-associated events
These standards increase levels of automation but should not replace user interaction, as full automation risks creating a self-inflicted denial of service.
3. How to use these standards
Use STIX 2 to help analyse cyber threat intelligence and TAXII 2 to exchange your analysis between users or between different IT systems.
The analysis must include at least one of the 12 defined STIX 2 Domain Objects:
- attack patterns
- course of action
- intrusion set
- observed data
- threat actor
The analysis must also include either of the 2 STIX relationship objects:
You can also:
- create a TAXII Collection, which is an interface to a logical collection of cyber threat intelligence
- use a TAXII Channel, which uses a publish-subscribe model so users can exchange information
You should, where possible, use the STIX Elevator to convert existing data held in previous versions of STIX to STIX 2. If you need to share data in other formats, for example with international partners who do not use STIX 2 and TAXII 2, you can use conversion scripts available for MISP (Malware Information Sharing Platform). You can use these scripts as an alternative to hosting multiple platforms.
You must train users on STIX 2 to make sure they use the standard accurately and effectively.