STIX (Structured Threat Information eXpression) is an important Cyber Threat Intelligence (CTI) standard for EclecticIQ. It is the foundation of the data model of the EclecticIQ Platform, and its disruptive power has helped to enable and transform the threat intelligence community in a relatively short time span. It’s for this reason that it was a logical step for us to become a proud member of OASIS back in 2016 and contribute to the STIX 1.x series.
We are big supporters of the hard work and effort that the CTI community has put into the ongoing development of STIX. STIX 2.0 marked a significant overhaul of version 1.2 and we regarded it as a very promising step. It is, however, normal that such a big overhaul cannot be perfect from the outset. We at EclecticIQ for instance, thought version 2.0 was lacking some key elements that really matter to us, such as the Incident object and the Analyst Opinions and Notes, which would provide an opportunity for advanced analytic assertion management. More importantly, Confidence was removed, and Malware entities also required some additional details, which will be included in version 2.1.
As a result of these missing elements, we decided not to rush into supporting 2.0 immediately and instead we would wait for the more refined version 2.1, which we believe will address the majority of its issues.
So, no need to be alarmed! We will support STIX 2. We’re simply putting our efforts into supporting version 2.1.
We did not just want to tick a box and claim to support STIX 2.0. Therefore, we have opted for a gradual adoption product road map that allows us to combine the capabilities of STIX 1.2 in addition to elements from STIX 2.0, with support of STIX 2.1 as the final result.
Before going into more detail, let’s consider how we currently use STIX.
The STIX model is crucial for a successful CTI practice, so we integrated it into our platform with the aim of sticking to the true intention of the language. This would mean that cyber threats can not only be described but also stored, shared and analyzed in a consistent manner. When we inject data into our platform we pull it apart, create a structure based on STIX and add in more context to allow for real analysis, correlation and the ability to build structured models.
True STIX Support
We believe that supporting only a selection of STIX objects or limiting capabilities to reading indicators and moving them around is not good enough — for us or the threat intelligence community. We aim to achieve complete support with the highest number of available objects as well as supporting the required functionality to deal with them completely; from correlation to analysis to reporting.
So how can we transition from STIX 1.2 to STIX 2.1 with that goal in mind?
While we are waiting for STIX 2 to mature with the 2.1 release, we are gradually moving towards version 2.1 by transitioning our internal data model in stages throughout the year. We will move from STIX 1.2 to STIX 2.0, then from STIX 2.0 to STIX 2.1.
The goal during the transition phase is to always be able to ingest and send out STIX 2.0 data throughout our platform. Customers can always make full use of the functionalities provided by STIX 1.2 until we are ready to adopt STIX 2.1.
At the end of this journey our customers can look forward to using the more detailed, flexible and capable STIX 2.1 data model, which reduces the ambiguity that exists in STIX 1.2, and adds the important capabilities that are missing from STIX 2.0. In addition, the usability and scalability will become easier and more accessible to a wider audience under STIX 2.1. Our hope is that with STIX 2.1, STIX use will become commonplace and the base on which businesses and organizations build their CTI practices on.
STIX is a prime example of what can be achieved when we collectively work together for a common goal. We are grateful to be part of a community that shares our ambition to consciously improve CTI.