CTI Standards & Frameworks
Standards and frameworks provide structures to rationalise the distribution and use of threat intel across industries. They also allow for common terminology, which helps in collaboration and communication. Here, we briefly look at some essential standards and frameworks commonly used.
- MITRE ATT&CK
- TAXII
- STIX
- Cyber Kill Chain
- The Diamond Model
TAXII
The Trusted Automated eXchange of Indicator Information (TAXII) defines protocols for securely exchanging threat intel to have near real-time detection, prevention and mitigation of threats. The protocol supports two sharing models:
- Collection: Threat intel is collected and hosted by a producer upon request by users using a request-response model.
- Channel: Threat intel is pushed to users from a central server through a publish-subscribe model.
STIX
Structured Threat Information Expression (STIX) is a language developed for the “specification, capture, characterisation and communication of standardised cyber threat information”. It provides defined relationships between sets of threat info such as observables, indicators, adversary TTPs, attack campaigns, and more.