Guidance

Exchanging Cyber Threat intelligence

Updated 9 August 2022

Use the Structured Threat Information Expression (STIX 2) standard and the Trusted Automated eXchange of Indicator Information (TAXII 2) standard to analyse and share intelligence between government departments, industry and international partners.

1. Summary of the standards’ uses for government

When you use a cyber threat intelligence system, you must use the STIX 2 and TAXII 2 standards. Users of the STIX 2 and TAXII 2 standards are:

• analysts involved in threat intelligence and security operations centres
• operators and administrators of security enforcing technology

The standards change cyber threat intelligence to a machine-readable format. This increases the capability for machine-to-machine automated information exchange. This speeds up the threat response and also makes the intelligence more readable for users.

The government chooses standards using the open standards approval process and the Open Standards Board has final approval. Read more about the process for the STIX 2 and TAXII 2 standards.

2. How these standards benefit users

STIX 2 describes cyber threat intelligence in a repeatable way that both users and machines understand. TAXII 2 provides the ability for you to share timely intelligence with relevant user groups in a standardised format.

Both STIX 2 and TAXII 2 help you to reduce manual administration of cyber threat intelligence. For example:

• the STIX 2 format reduces the need for you to create documents in multiple formats
• TAXII 2 reduces the need for you to distribute information by email

Other governments already use STIX 2 and TAXII 2. Security technology suppliers are also starting to use these standards. Wider use of these standards makes it easier to share analysis of threat intelligence.

These standards provide a way to link indicators of compromise (evidence of a cyber attack) to tactics, techniques and procedures (the techniques regularly used by threat actors or groups of threat actors). This will allow you to:

• identify the source of a cyber attack
• Increase the view of the threats your organisation faces
• link previously un-associated events

These standards increase levels of automation but should not replace user interaction, as full automation risks creating a self-inflicted denial of service.

3. How to use these standards

Use STIX 2 to help analyse cyber threat intelligence and TAXII 2 to exchange your analysis between users or between different IT systems.

The analysis must include at least one of the 12 defined STIX 2 Domain Objects:

• attack patterns
• campaigns
• course of action
• identity
• indicator
• intrusion set
• malware
• observed data
• report
• threat actor
• tool
• vulnerability

The analysis must also include either of the 2 STIX relationship objects:

• relationship
• sighting

If you choose to advertise TAXII 2 services you should use an application protocol over HTTPS using a RESTful API, supported by DNS services.

You can also:

• create a TAXII Collection, which is an interface to a logical collection of cyber threat intelligence
• use a TAXII Channel, which uses a publish-subscribe model so users can exchange information

You should, where possible, use the STIX Elevator to convert existing data held in previous versions of STIX to STIX 2. If you need to share data in other formats, for example with international partners who do not use STIX 2 and TAXII 2, you can use conversion scripts available for MISP (Malware Information Sharing Platform). You can use these scripts as an alternative to hosting multiple platforms.

You must train users on STIX 2 to make sure they use the standard accurately and effectively.