Threat Intelligence Standards
Structured Threat Information eXpression (STIX)
Structured Threat Information eXpression (STIX) provides threat intelligence information in a specific JSON-based format. This information can include for example malware hashes, IP addresses or domain names of command-and-control servers, details of indicators of compromise and tactics, techniques and procedures (TTPs) used by threat actors. It was originally developed by MITRE but is now maintained by OASIS and is closely associated with the Trusted Automated eXchange of Indicator Information (TAXII) that can be used to share this information.
STIX Further Reading
Trusted Automated eXchange of Indicator Information (TAXII)
The Trusted Automated eXchange of Indicator Information (TAXII) is a standardised transport mechanism for the sharing of cyber threat information, such as STIX, described above. It was originally developed by MITRE but is now maintained by OASIS.
TAXII Further Reading
Cyber Observable eXpression (CybOX)
Cyber Observable eXpression (CybOX) provides a standard way to document cyber threat intelligence observables in a machine-readable format. CybOX was originally developed by MITRE but is now maintained by the OASIS Cyber Threat Intelligence Technical Committee. It has now been integrated into the Structured Threat Information eXpression (STIX) 2.0, making it part of a broader cybersecurity framework. CybOX objects are now called STIX Cyber Observables and are used within STIX to help describe security threats.
CybOX Further Reading
Open Indicators of Compromise (OpenIOC)
Open Indicators of Compromise (OpenIOC) is an open framework for sharing threat intelligence information in a machine-readable format. It does this using an XML-based schema to describe technical characteristics that identify known threats, attack methodologies, and other evidence of compromise. Its machine-readable format allows for the automated processing of it by security tools, such as Security Information and Event Management systems (SIEMs) and Intrusion Detection/Prevention Systems (IDS/IPS).
OpenIOS was developed and is maintained by Mandiant a prominent cyber security company, which is now part of Google Cloud. Due to this it is primarily used by organisations that are familiar with Mandiant's ecosystem.
OpenIOC Further Reading
Open Command and Control (OpenC2)
Open Command and Control (OpenC2) is a standardised language that facilitates machine-to-machine communication, allowing security tools from different vendors to work together seamlessly. It can for example, trigger a firewall or endpoint protection to block an attack following the identification of malicious activity by an intrusion prevention system (IPS).
OpenC2 Further Reading
Open Vulnerability and Assessment Language (OVAL)
The Open Vulnerability and Assessment Language (OVAL) is an international standard that provides the ability to assess and report the security state of computer systems. It allows for the transfer of this information in security tools and services. Vendors can, for example, use OVAL to provide vulnerability information about its products for consumption by its customers. It can then be used to assess devices for compliance against known or approved valid configurations or patching levels.
OVAL Further Reading
Common Vulnerability Reporting Framework (CVRF)
The Common Vulnerability Reporting Framework (CVRF) is an XML-based standard that allows for the sharing of security vulnerability information in a structured way. It facilitates the exchange of vulnerability information between organisations in an efficient manner, which in turn improves the speed and accuracy of security assessments. A vendor can, for example, use CVRF to share vulnerability information regarding its products to customers, so that they can act accordingly.