STIX (Structured Threat Information eXpression)
Definition
An OASIS open standard that defines a JSON-based language for describing cyber threat intelligence. STIX 2.1 defines objects for indicators, threat actors, campaigns, malware, attack patterns, and the relationships between them.
Related terms
- Domain generation algorithm (DGA)
- Code embedded in malware that produces a large set of pseudo-random domain names on a scheduled basis. The malware tries each until...
- Indicator of Compromise (IoC)
- An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
- IoC (Indicator of Compromise)
- Observable artefact linked to malicious activity. File hashes (MD5, SHA-256, ImpHash, ssdeep, TLSH), IPs, domains, URLs, registry keys, mutex names, named pipes,...
- ISAC (Information Sharing and Analysis Center)
- A sector-specific membership organisation that collects, analyses, and redistributes threat intelligence among its members under confidentiality agreements. Examples include FS-ISAC (financial services),...
- MISP (Malware Information Sharing Platform)
- An open-source threat intelligence platform that enables structured sharing of IOCs and threat intelligence using STIX and other formats. Widely deployed by...
- Pyramid of Pain
- A model proposed by David Bianco that ranks IOC types by the cost to an attacker of changing them when defenders start...
- TAXII (Trusted Automated eXchange of Indicator Information)
- An OASIS open standard that defines an HTTPS-based protocol for transporting STIX content between organisations. A TAXII server exposes collections; clients poll...
- TAXII (Trusted Automated eXchange of Intelligence Information)
- The transport protocol companion to STIX. TAXII defines how STIX data is exchanged between servers and clients over HTTPS, enabling automated ingestion...
- Threat intelligence
- Processed, analysed information about adversaries, their capabilities, and their current or anticipated activities. Includes strategic intelligence (actor motivations and trends) and tactical...
- Traffic Light Protocol (TLP)
- A standardised colour-coded scheme for marking intelligence sharing restrictions. TLP:RED is for named recipients only; TLP:AMBER is for members' organisations; TLP:GREEN is...
Explained in these topics
- Indicators of Compromise: Identification and UseAn open standard that defines a data model for representing threat intelligence objects, including IOCs, threat actors, campaigns, and TTPs. STIX 2.1 is the cu...
- Intelligence Sources, Feeds and Sharing PlatformsAn OASIS open standard that defines a JSON-based language for describing cyber threat intelligence. STIX 2.1 defines objects for indicators, threat actors, cam...