STIX 2.0 Finish Line

April 12, 2017
Cyber Threat Intelligence: Post by John Wunder
John Wunder

After over a year of dedicated effort and years of building the foundation, the OASIS Cyber Threat Intelligence Technical Committee (CTI TC) voted in March 2017 to approve STIX 2.0 as a Committee Specification Draft and commence a 30-day public review, which ended April 6. Speaking as a co-chair of the STIX subcommittee in the CTI TC, this is a big deal.

Before exploring what this means, let's jump back a bit. STIX (Structured Threat Information eXpression) was originally conceived as a language to describe cyber threat intelligence. This was groundbreaking at the time because it was the first language to provide a definition of cyber threat intelligence. Although it’s a bit of a fuzzy term, cyber threat intelligence generally describes information about adversaries and their behaviors that can inform defensive actions. For example, knowing that a certain adversary targets financial institutions by using specially crafted spear-phishing emails, and then delivers Trojans that will reach out to a certain set of websites that are known to be malicious, can be very helpful in defending against the attack. STIX captures that type of intelligence in a machine-readable form so that it can be shared among organizations and tools.

The DHS Office of Cybersecurity and Communications funded MITRE, beginning in 2012, to act as the technical developer of STIX and serve as a community facilitator to jumpstart STIX. Once some level of maturity was reached, STIX would be transitioned to an international standards body. That goal was realized in 2015 when governance of STIX was transitioned to OASIS, an international standards consortium. This was a big step for STIX and a big success for DHS, MITRE, and the community because it meant that STIX was on its way to becoming an international standard. Although DHS and MITRE continue to serve in several leadership positions in the CTI TC, the majority of the leadership and the vast majority of participants in the TC are from industry. In fact, the OASIS CTI TC was founded with more participants than any other TC in OASIS history. It's that community that led the development of STIX 2.0.

Standards work tends to be slow and deliberative, but the CTI TC set an aggressive goal to have something done within a year after chartering the TC. That meant that everyone in the community had to make tough compromises to reach a hard-fought consensus. It meant forging new ground with OASIS and doing our development on Google Docs, Github, and Slack rather than email lists and Word documents. It meant participants from New Zealand and Tokyo somehow waking up and dialing in to working meetings held at 2 AM their time. It meant 4-hour editorial sessions to make sure that the language was as good as it could be. Though it took longer than a year, the result of all that work is the approval of STIX 2.0 as a Committee Specification Draft by the TC.

By approving the Committee Specification Draft and opening the public review period, the CTI TC agrees that what we’ve done so far is worth continuing.

We realize, of course, that 2.0 is not the finish line for STIX itself. While 2.0 is a big step forward toward an industry standard, there's still work to do. The community has already started on STIX 2.1, which will address some areas that were deferred in order to build out the basic framework. For example, the community will tackle incident response features like an incident and event object, more in-depth modeling of malware and infrastructure, and feedback mechanisms such as opinions and intel notes. It's likely that the deadline will be just as aggressive and the community will again need to step up to get it done.

Also, as I write this, others in the TC are still hard at work on finishing TAXII 2.0. TAXII is a high-level protocol for moving cyber threat intelligence (primarily STIX) data around between systems and tools. We expect that, within the coming months, TAXII will be achieving this same milestone and opening its own public review period.

If you're interested in learning more about STIX 2.0 or TAXII 2.0, the documentation page is the best place to start.