#format wiki #language en #pragma section-numbers off
NOTE: This wiki is provided by the OASIS standards consortium as a collaborative tool for members of the OASIS Cyber Threat Intelligence (CTI) Technical Committee, who are permitted to post to these pages. As this is an official workspace of the TC, the OASIS IPR Policy and other OASIS rules apply to its use. To learn more about the work of the TC, send a comment, or join this effort, visit the OASIS Cyber Threat Intelligence (CTI) TC homepage.
Wiki pages are transient documents, so intermediate edits may not be saved. TC members should move all permanent work and stable artifacts to the TC's document repository, where the archival work product of the TC also can be viewed by the public.
About the CTI TC
- The STIX and TAXII standards are governed by the OASIS Cyber Threat Intelligence Technical Committee (CTI TC). STIX and TAXII were created in 2012 under the auspices of the US Department of Homeland Security. In June of 2015, DHS licensed all of the intellectual property and trademarks associated with STIX and TAXII to OASIS, a nonprofit consortium that drives the development, convergence and adoption of open standards for the global information society. Since June of 2015, the CTI TC has been working to create the next generation of STIX and TAXII standards.
The current leadership:
Chair: Richard Struse ( firstname.lastname@example.org ), MITRE Corporation
Secretary: Jane Ginn ( email@example.com ), Cyber Threat Intelligence Network, Inc. (CTIN)
Sarah Kelley ( Sarah.Kelley@cisecurity.org ), CIS
John Wunder ( firstname.lastname@example.org ), MITRE Corporation
Mark Davidson ( Mark.Davidson@nc4.com ), NC4
Bret Jordan ( email@example.com ), Symantec Corp.
Ivan Kirillov ( firstname.lastname@example.org ), MITRE Corporation
Trey Darley ( email@example.com ), New Context Services, Inc.
Jason Keirstead ( Jason.Keirstead@ca.ibm.com ), IBM
Video Overview - Interview of Chairman Richard Struse
About STIX 2.x
- STIX — the Structured Threat Information eXpression — is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are likely to see and to better prepare for and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.
See the FAQ
STIX 2.0 Committee Specification (CS) - WD03
About TAXII 2.x
- TAXII — the Trusted Automated Exchange of Intelligence Information — is an application layer protocol for the communication of CTI in a simple and scalable manner over HTTPS. TAXII enables organizations to share CTI by defining a standard API that aligns with common sharing models. TAXII is specifically designed to support the exchange of CTI represented in STIX.
See the FAQ
TAXII 2.0 Specification (CS) - WD02
- The Interoperability Subcommittee of the CTI TC has developed a 2-Part Committee Note that establishes a step-by-step guide to a self-certification process. Once a Producer of STIX feeds, a vendor providing a Threat Intelligence Platform (TIP), a vendor providing a Security Incident and Event Management (SIEM) tool, a vendor that provides threat mitigation systems (TMS), or a vendor that provides threat detection systems (TDS) executes the steps outlined, demonstrates successful interoperability, and documents such, that supplier may submit a statement to OASIS testifying to the self-certification. We are using TMS to refer to tools such as firewalls and intrusion prevention systems. We are using TDS to refer to tools such as intrusion detection software and web proxies.
We are using the following four use cases:
- Threat indicator sharing (of IOCs);
- Threat detection and sighting sharing (from TMSs to crowdsourcing threat intelligence among members of a trust community);
- Threat intelligence version challenges (for updates and revisions to intelligence data sharing); and
- Intelligence data markings (determining the sharing opportunities and constraints applied to a trust community).
STIX 2.0 Interoperability Test Document Part 1
- STIX 2.0 Interoperability Test Document Part 2 [Link to be added when complete]
Logos noting STIX2 'Preferred' and TAXII2 'Preferred' Status will be made available to vendors that self-certify
- The CTI TC has monthly meetings of the entire membership. They are scheduled for the third Thursday of each month and two sessions are held – one at 11AM US Eastern time and another at 9PM US Eastern time (we hold two meetings in order to make it easier for members in different time zones to participate). Attendance at the monthly meeting (either time) is required to gain/retain voting rights according to OASIS rules. You must attend two consecutive meetings to gain your voting rights and if you miss two consecutive monthly meetings, you lose your voting rights until such time as you have attended two in a row. You’ll need to log into the OASIS Kavi platform during the meeting to record your attendance. We use these records to maintain our voting rights records. In addition to the monthly meetings, the TC has a regular “working call” scheduled at every Tuesday at 3PM Eastern time. This call is used to discuss technical topics. In addition to the monthly meetings, the CTI TC has historically held three face-to-face (F2F) meetings a year to discuss technical topics. These normally last two days and we make every effort to host the meetings in a variety of locations. While we encourage in-person participation, we also provide an audio/video stream to enable remote attendees. As we move into the implementation stage of the STIX 2.x and TAXII 2.x standards we will also be holding Plugfests, Hackathons and other hands-on sessions coupled with these F2F sessions.
- The CTI TC uses a variety of mechanisms to communicate and collaborate, including:
- Mailing lists: STIX Cyber Observables TAXII Interop
- Slack: Send an email to any of the co-Chairs to be onboarded onto the CTI TC Slack channel
- Google Docs: Visit the Table of Contents page for links to the working documents
Resources:The CTI TC maintains information resources for both the general public and for TC members.
- These are located at:
Public Information Site: https://www.oasis-open.org/committees/tc_home.php
- TC Members: Log-in and browse to the CTI TC link on Kavi.
- These are located at:
Open Source Tools
OASIS Open Repository: GitHub Pages site for STIX, CybOX, and TAXII
- OASIS Open Repository: Python APIs for STIX 2
- OASIS Open Repository: Non-normative schemas and examples for STIX 2
- OASIS Open Repository: Convert STIX 1.2 XML to STIX 2.0 JSON
- OASIS Open Repository: Validator for STIX 2.0 JSON normative requirements and best practices
- OASIS Open Repository: TAXII 2 Server Library Written in Python
- OASIS Open Repository: Lightweight visualization for STIX 2.0 objects and relationships
- OASIS Open Repository: TAXII 2 Client Library Written in Python
- OASIS Open Repository: Validate patterns used to express CybOX content in STIX Indicators
- OASIS Open Repository: Match STIX content against STIX patterns
- OASIS Open Repository: Prototype for processing granular data markings in STIX
- OASIS Open Repository: The repository cti-stix-slider supports development of a Python application to convert STIX 2.0 content to STIX 1.x content
- Additional open sources that are not official OASIS-sponsored work products
Open Source Contributions
FreeTAXII - OSINT Feeds, Server, Library Resources
Open Source Icons
Subcommittee Wiki Links
This wiki is powered by MoinMoin.