TAXII

Trusted Automated eXchange of Intelligence Information (TAXII) is a protocol for exchanging cyber threat information (CTI) across organizations and services. TAXII is a transport mechanism that uses Hypertext Transfer Protocol Secure (HTTPS) to transfer STIX insights.

TAXII is a U.S. Department of Homeland Security initiative that enables organizations to share CTI to detect, prevent, and mitigate cyber threats. TAXII is not a specific application or information-sharing initiative; it provides the tools to help organizations share CTI with their chosen partners.

TAXII defines a set of requirements for TAXII clients and servers and a RESTful API that supports various sharing models. The three main TAXII models are:

Hub and spoke: A single repository of information

Source/subscriber: A single source of information

Peer-to-peer: Multiple groups share information

TAXII is a good starting point for those new to threat intelligence.

 STIX

Structured Threat Information eXpression (STIX) is a free, open-source language that allows users to share and analyze cyber threat intelligence (CTI) in a consistent, human-readable format:

Purpose

STIX is a standardized language that allows users to share CTI in a way that can be easily understood by both humans and security technologies.

Features

STIX is flexible, extensible, and automatable. It uses a JSON-based lexicon to describe threats in terms of their motivations, abilities, capabilities, and responses.

Benefits

STIX allows users to share and analyze CTI quickly and consistently, which can help them understand threats and act proactively or defensively.

Community

STIX is a collaborative, community-driven effort that welcomes participation from anyone interested.

Integration

STIX can be integrated into existing tools and products or used for specific analyst or network needs.

Transport

STIX is often used with Trusted Automated eXchange of Intelligence Information (TAXII), a transport protocol that supports transferring STIX insights over HTTPS.