Cyber Threat Information Sharing

To fully realize the benefits of cyber intelligence, organizations need to share cyber threat information, if not defensive strategies and more, with trusted partners. By sharing threat information, defenders gain valuable insights into an attacker’s current and future attack objectives. "My detection becomes your prevention" as threat information is shared quickly between partners. In addition, the broader data set improves the defenders’ ability to predict future attacker behavior and create more dynamic defenses.

By understanding adversaries’ behavior against a range of targets over a period of time, defenders can identify a set of indicators and a robust set of adversary tactics, techniques, and procedures (TTPs).

Current cyber threat information sharing, however, is either a time-consuming, manual process or a limited-scope automation effort tied to a particular cyber threat information sharing community or technology. The capability to broadly share a rich set of cyber threat information — beyond IP addresses and file hashes — in an automated manner does not exist today.

The Trusted Automated eXchange of Indicator Information (TAXII) effort, a community-driven framework to facilitate cyber threat information sharing, aims to fill this void. TAXII defines a framework for exchanging Structured Threat Information eXpression (STIX) documents containing structured cyber threat information.