What is STIX?

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX is open source and free allowing those interested to contribute and ask questions freely.

Why should you care?

Contributing and ingesting CTI becomes a lot easier. With STIX, all aspects of suspicion, compromise and attribution can be represented clearly with objects and descriptive relationships. STIX information can be visually represented for an analyst or stored as JSON to be quickly machine readible. STIX's openness allows for integration into existing tools and products or utilized for your specific analyst or network needs.

STIX 2 Objects

STIX Objects categorize each piece of information with specific attributes to be populated. Chaining multiple objects together through relationships allow for easy or complex representations of CTI. Below is a list of what can be represented through STIX.

STIX 2 defines twelve STIX Domain Objects (SDOs):

Object Name Description
Attack Pattern Icon Attack Pattern A type of Tactics, Techniques, and Procedures (TTP) that describes ways threat actors attempt to compromise targets.
Campaign Icon Campaign A grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
Course of Action Icon Course of Action An action taken to either prevent an attack or respond to an attack.
Identity Icon Identity Individuals, organizations, or groups, as well as classes of individuals, organizations, or groups.
Indicator Icon Indicator Contains a pattern that can be used to detect suspicious or malicious cyber activity.
Intrusion Set Icon Intrusion Set A grouped set of adversarial behaviors and resources with common properties believed to be orchestrated by a single threat actor.
Malware Icon Malware A type of TTP, also known as malicious code and malicious software, used to compromise the confidentiality, integrity, or availability of a victim’s data or system.
Observed Data Icon Observed Data Conveys information observed on a system or network (e.g., an IP address).
Report Icon Report Collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including contextual details.
Threat Actor Icon Threat Actor Individuals, groups, or organizations believed to be operating with malicious intent.
Tool Icon Tool Legitimate software that can be used by threat actors to perform attacks.
Vulnerability Icon Vulnerability A mistake in software that can be directly used by a hacker to gain access to a system or network.

STIX 2 defines two STIX Relationship Objects (SROs):

Object Name Description
Relationship Icon Relationship Used to link two SDOs and to describe how they are related to each other.
Sighting Icon Sighting Denotes the belief that an element of CTI was seen (e.g., indicator, malware).

A look at the structure

STIX 2 objects are represented in JSON. The following is a JSON-based example of a STIX 2.0 Campaign object:

{  
    "type": "campaign",  
    "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",  
    "created": "2016-04-06T20:03:00.000Z",  
    "name": "Green Group Attacks Against Finance",  
    "description": "Campaign by Green Group against targets in the financial services sector."  
}
STIX 2 Relationship Example STIX 2 Relationship Example

Complete information for STIX 2 is available on the OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) website. Specification documents, schemas and tools are also available.

Objects Overview

The video below provides an overview of STIX 2 objects. It highlights the four types of objects in STIX 2: STIX Domain Objects (SDOs), STIX Relationship Objects (SROs), Marking Definition objects, and Bundle objects.