STIX 2.0 & TAXII 2.0 Finalized & Published

OASIS and the Cyber Threat Intelligence (CTI) Technical Committee are pleased to announce the publication of STIX Version 2.0 and TAXII Version 2.0 as Committee Specifications.

The Cyber Threat Intelligence (CTI) TC is developing information representations and protocols to help industries, organizations, and governments model, analyze, and share cyber threat intelligence.

STIX – Structured Threat Information Expression – is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.

STIX Version 2.0 has been significantly redesigned and, as a result, omits some of the objects and properties defined in STIX 1.2.1. The objects chosen for inclusion in STIX V2.0 represent a minimally viable product (MVP) that fulfills basic consumer and producer requirements for CTI sharing. Objects and properties not included in STIX 2.0, but deemed necessary by the community, will be included in future releases.

TAXII – Trusted Automated Exchange of Intelligence Information – is an application layer protocol used to exchange cyber threat intelligence (CTI) over HTTPS. It enables organizations to share CTI by defining an API that aligns with common sharing models.

TAXII is specifically designed to support the exchange of CTI represented in STIX. As such, the examples and some features in the specification are intended to align with STIX. This does not mean TAXII cannot be used to share data in other formats; it is designed for STIX, but is not limited to STIX.

These Committee Specifications are OASIS deliverables, completed and approved by the TC and fully ready for testing and implementation.

The specifications and related files are available here:

• STIX Version 2.0
  Committee Specification 01
  19 July 2017

• Part 1: STIX Core Concepts
  Editable source (Authoritative):
  http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.docx

HTML:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html

PDF:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.pdf

• Part 2: STIX Objects
  Editable source (Authoritative):
  http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.docx

HTML:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html

PDF:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.pdf

• Part 3: Cyber Observable Core Concepts
  Editable source (Authoritative):
  http://docs.oasis-open.org/cti/stix/v2.0/cs01/part3-cyber-observable-core/stix-v2.0-cs01-part3-cyber-observable-core.docx

HTML:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part3-cyber-observable-core/stix-v2.0-cs01-part3-cyber-observable-core.html

PDF:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part3-cyber-observable-core/stix-v2.0-cs01-part3-cyber-observable-core.pdf

• Part 4: Cyber Observable Objects
  Editable source (Authoritative):
  http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.docx

HTML:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.html

PDF:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.pdf

• Part 5: Patterning
  Editable source (Authoritative):
  http://docs.oasis-open.org/cti/stix/v2.0/cs01/part5-stix-patterning/stix-v2.0-cs01-part5-stix-patterning.docx

HTML:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part5-stix-patterning/stix-v2.0-cs01-part5-stix-patterning.html

PDF:
http://docs.oasis-open.org/cti/stix/v2.0/cs01/part5-stix-patterning/stix-v2.0-cs01-part5-stix-patterning.pdf

• TAXII Version 2.0
  Committee Specification 01
  19 July 2017

Editable source (Authoritative):
http://docs.oasis-open.org/cti/taxii/v2.0/cs01/taxii-v2.0-cs01.docx

HTML:
http://docs.oasis-open.org/cti/taxii/v2.0/cs01/taxii-v2.0-cs01.html

PDF:
http://docs.oasis-open.org/cti/taxii/v2.0/cs01/taxii-v2.0-cs01.pdf

Distribution ZIP files

For your convenience, OASIS provides complete packages of the prose specifications and related files in ZIP distribution files. You can download the ZIP files here:

• STIX V2.0: http://docs.oasis-open.org/cti/stix/v2.0/cs01/stix-v2.0-cs01.zip

• TAXII V2.0: http://docs.oasis-open.org/cti/taxii/v2.0/cs01/taxii-v2.0-cs01.zip

Members of the CTI TC [1] approved this specification by Special Majority Vote. The specification had been released for public review as required by the TC Process [2]. The vote to approve as a Committee Specification passed [3], and the document is now available online in the OASIS Library as referenced above.

Our congratulations to the TC on achieving this milestone and our thanks to the reviewers who provided feedback on the specification drafts to help improve the quality of the work.

========== Additional references:

[1] OASIS Cyber Threat Intelligence (CTI) TC
https://www.oasis-open.org/committees/cti/

[2] Public reviews:
– STIX V2.0:
* 30-day public review, 08 March 2017:
https://lists.oasis-open.org/archives/members/201703/msg00000.html
– Comment resolution log:
http://docs.oasis-open.org/cti/stix/v2.0/csprd01/stix-v2.0-csprd01-comment-resolution-log.xlsx

• 15-day public review, 18 May 2017:
  https://lists.oasis-open.org/archives/members/201705/msg00006.html
• Comment resolution log:
  http://docs.oasis-open.org/cti/stix/v2.0/csprd02/stix-v2.0-csprd02-comment-resolution-log.xlsx

• TAXII v2.0:

• 30-day public review, 12 May 2017:
  https://lists.oasis-open.org/archives/members/201705/msg00003.html
• Comment resolution log:
  http://docs.oasis-open.org/cti/taxii/v2.0/csprd01/taxii-v2.0-csprd01-comment-resolution-log.xlsx

[3] Approval ballot:
https://www.oasis-open.org/committees/ballot.php?id=3102

Jane Ginn CTIN President & Co-Founder

Jane Ginn ~ As the co-founder of the Cyber Threat Intelligence Network (CTIN), a consultancy with partners in Europe, Ms. Ginn has been pivotal in the development of the STIX international standard for modeling and sharing threat intelligence. She currently serves as the Secretary of the OASIS Threat Actor Context Technical Committee, contributing to the creation of a semantic technology ontology for cyber threat actor analysis. Her efforts in this area and her earlier work with the Cyber Threat Intelligence (CTI) TC earned her the 2020 Distinguished Contributor award from OASIS. In public service, she advised five Secretaries of the US Department of Commerce on international trade issues from 1994 to 2001 and served on the Washington District Export Council for five years. In the EU, she was an appointed member of the European Union's ENISA Threat Landscape Stakeholders' Group for four years. A world traveler and amateur photojournalist, she has visited over 50 countries, further enriching her global outlook and professional insights. Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=janeginn

See Full Bio