In the early days of CTI, analysts shared Indicators of Compromise (IOCs) via PDFs and spreadsheets. This manual process is too slow for modern defense. By the time an analyst manually blocks an IP address, the attacker has already moved to a new infrastructure.
To solve this, OASIS Open developed two standards to let security machines talk to each other directly.
STIX (Structured Threat Information Expression)
Think of STIX as the Language. It is a JSON-based format that describes threat data in a way computers can understand and parse. It defines objects such as:
- Threat Actor: Who is doing it?
- Campaign: What are they trying to do?
- Sighting: Where was it seen?
- Indicator: What does it look like?
TAXII (Trusted Automated Exchange of Intelligence Information)
Think of TAXII as the Transport (like a taxi). It is the protocol (essentially an API) that defines how the STIX information is sent from the server to the client.
How They Work Together
- A CTI provider creates intelligence about a new threat using STIX.
- Your organization's Firewall or SIEM connects to the provider's TAXII server.
- The data is pulled automatically, and blocking rules are applied without human intervention.
- This automation frees up analysts to focus on Strategic Intelligence.