STIX

Intelligence on cyber threats, or Cyber Threat Intelligence, is the best insurance against computer attacks because it allows to neutralize them before impact. But faced with the quantity, versatility and creativity of attackers, producing high-quality operational intelligence requires intensive collaboration between multiple teams of experts around the world.

This vast virtual surveillance and warning network can only exist because it can exchange information, data and intelligence. STIX is the language spoken by these analysts to model and exchange their data transparently and enable their use in security systems.

The power of CTI during malware incident analysis replay with Glimps

Watch the replay

What is STIX?

Acronym for Structured Threat Information eXpression, it is an open standard describing the objects of interest in the field of defensive computer warfare, and the links that they can maintain between them. It is published and maintained by a working group of the OASIS association.

OASIS (Organization for the Advancement of Structured Information Standards) is a non-profit professional association, whose mission is to develop, support and promote standardization projects. It is one of the few standardization structures recognized by the ISO (International Standards Organization) to develop standards of the Publicly Available Specification.

The current version of the standard is 2.1, published in 2021. In mid-2022, only four French people are active contributors and members of the technical committee, including David Bizeul, Chief Science Officer of SEKOIA.IO, and Georges Bossert, Chief Technical Officer of SEKOIA.IO.

Watch the replay

STIX objects: SDO (Stix Domain Objects)

The standard describes 18 types of objects of cyber interest, including their properties and the relationships they can have. Among these SDOs, we can retain in particular: malicious actors, campaigns, malware, Tools, Tactics and Procedures (TTPs) or vulnerabilities.

This taxonomy removes ambiguities: thus a French analyst can publish data that will be used by a German analyst, sometimes from a competing company. This also allows intelligence data to be filtered according to areas of interest: a firewalls agent EDR has little interest in having to go through all the campaign data.

In particular, STIX very clearly distinguishes between intelligence objects (SDOs) and the technical data on which they may be based, called SCOs (STIX Cyber Observable objects) or observables.

example of types of “observable” objects (SCO)

Relations: essential contextualization

However, objects (SDO or SCO) alone do not allow contextualization, which is vital to avoid false positives or the overconsumption of resources, human or machine. To do this, they must be linked together, this is the role of STIX Relationship Objects (SRO). A quality CTI modeled in accordance with STIX should always include these relationships, which alone allow the operational analyst to carry out investigations and put into perspective information from the field.

Example of possible relationships with a Malware type object

How STIX helps organizations to better respond to cyber threats?

By providing a unified threat description language, STIX makes it easy and quick to leverage proprietary intelligence such as open source (OSINT). It allows organizations to require this compatibility to ensure the effective flow of intelligence within their security system.

Widely adopted by industry, STIX has become increasingly the standard, allowing policy makers to specify cyber intelligence compatibility and interoperability requirements.

Open standard, all its specification and documentation are freely available on the dedicated Github page. It is a guarantee of transparency allowing all decision-makers to resist the potential influence of a software publisher, as may be the case with proprietary standards.

Finally, STIX allows collaboration between the various contributors to the ecosystem, from commercial teams such as the Threat & Detection Research team which produces the SEKOIA.IO CTI, to public or sectoral structures such as CERT or ISAC. Thus, any Threat Intelligence Platform worthy of the name must natively handle STIX 2.1 in input as well as in output; this is of course the case of SEKOIA.IO TIP.

We are a cybersecurity software publisher. We provide SOC and MSSP teams with a turnkey operational security platform (SOC platform). Through our XDR platform, CTI tool and threat intelligence platform, we enable our users to neutralize cyber threats, regardless of the attack surface.

Watch the replay

Others Terms

Others Terms

CTI(Cyber Threat Intelligence)

Cyber Threat Intelligence (CTI) defines cyber threat research, analysis and modeling. It'is used to prevent and detect computer attacks.

IoC(Indicator of compromise)

IoC (Indicator of compromise) is qualified technical data that makes it possible to detect malicious activities on an information system. These indicators can be based on data of various types, for example: a file hash, a signature, an IP address, a URL, a domain name… but in all cases, the technical data alone (observable, see this word) is not enough to talk about IoC.

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ?
Vous voulez découvrir nos produits de XDR et de CTI ?
Vous avez un projet de cybersécurité dans votre organisation ?
Prenez rendez-vous et rencontrons-nous !

Contactez-nous

Chat with our team !

Would you like to know more about our solutions ?
Do you want to discover our XDR and CTI products ?
Do you have a cyber security project in your organization ?
Make an appointment and meet us !

Contact us

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_152945562_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
Inbound Converter	2 ans	This script communicates back to TechTarget which accounts, based on reverse IP lookup, have visited this website. The information that is transmitted includes: URL of page landed on, Timestamp of visit, IP Address
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.