Skip to content ↓ | Skip to navigation ↓

Information related to cyber security events plays an important role for systems that protect our cyber assets. One way to increase the robustness of existing cyber security systems will be to expand the information horizon from within which we collect security event information.

Fortunately, a number of initiatives based on establishing cyber security information exchange technologies are gaining momentum. One such initiative is TAXII (Trusted Automated eXchange of Indicator Information). There are others such as CyBEX (Cybersecurity information EXchange framework) and CIF (the Collective Intelligence Framework). However, TAXII will be the focus of this article.

TAXII is an open, community-driven, standardization effort led by the U.S. Department of Homeland Security (DHS) and facilitated by the MITRE Corporation, which is a not-for-profit organization that serves as a community coordinator for TAXII.

The basic premise underlying initiatives such as TAXII is that organizations can benefit by sharing security event information. As such, TAXII’s objective is to establish a framework for standardized, trusted, and automated exchanges of cyber threat information.

Organizations can use TAXII services and message exchanges in order to share security event information with one another so that emerging cyber threats and attacks can be detected and mitigated more quickly than with existing non-information sharing technologies.

For example, if an organization detects a cyber threat T, it can distribute information that describes T via TAXII to other organizations. These recipient organizations can then implement preemptive security controls and countermeasures that prevent adverse effects caused by T.

TAXII is not a stand-alone initiative. It is tightly coupled to other initiatives such as the following:

  • STIX (Structured Threat Information eXpresssion)
    • STIX is an initiative seeking to define standardized and structured representations of cyber threat information.
  • CybOX (Cyber Observable eXpression)
    • CybOX is a structured language that describes entities within an organization’s cyber operational environment.
  • MAEC (Malware Attribute Enumeration and Characterization)
    • MAEC is a structured language for describing malware attributes.

STIX, CybOX, and MAEC are, similar to TAXII, led by DHS and facilitated by MITRE.

The inter-relationship of these initiatives is as follows. STIX uses languages such as (but not limited to) CybOX and MAEC to represent cyber security event information, and TAXII serves as the transport mechanism for STIX information.

Recently, Microsoft announced that it intends to support TAXII and STIX. According to a blog post describing new MAPP (Microsoft Active Protections Program) initiatives:

“Through this new program, MAPP for Responders, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Microsoft intends to contribute to this effort by sharing threat indicators such as malicious URLs, file hashes, incident data and relevant detection guidance. Employing a “give to get” model, the community will benefit when data they provide is enriched by aggregating it with data from others.”

The blog post goes on to say:

“Effective knowledge exchange requires automation and a common format. To accomplish this, we plan to support Mitre’s STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications. As open specifications for the formatting and transport of information, STIX and TAXII are starting to see broad adoption. Regardless of format, we want to serve customers by facilitating the flow of threat intelligence to organizations who can capitalize on it. As such, we will also seek to build transforms for other commonly used formats. This effort is currently in development and we intend to launch a pilot in the near future.”

For those of us who are interested in global-scale cyber security information exchanges, this type of announcement is good news because it could lead to other organizations adopting the ideas and technologies related to TAXII (or other similar initiatives).


Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock