Threat Intelligence: STIX (Structured Threat Information eXpression)

Note

Executive Summary: Historically, Cyber Threat Intelligence (CTI) was shared via unstructured PDF reports, CSV files, and disjointed emails, requiring intense manual effort to extract actionable indicators. STIX (Structured Threat Information eXpression), maintained by the OASIS consortium, solves this by providing a standardized, JSON-based language for describing cyber threats. It allows security tools to consume, analyze, and act upon complex threat data automatically. STIX transforms CTI from human-readable narratives into machine-actionable graph databases.

1. The Philosophy: A Graph-Based Language

The true power of STIX (specifically STIX 2.x) lies in its architecture. It models the threat landscape as a mathematical graph, where entities are Nodes and the interactions between them are Edges.

This is achieved through three fundamental building blocks:

1. SDO (STIX Domain Objects): The “Nouns.” These represent high-level intelligence concepts (e.g., Threat Actors, Malware families, Campaigns).
2. SCO (STIX Cyber-observable Objects): The “Adjectives/Facts.” These represent raw, technical network or host-level artifacts (e.g., IP addresses, file hashes, registry keys).
3. SRO (STIX Relationship Objects): The “Verbs.” These link SDOs and SCOs together to provide crucial context.

Analogy: If CTI is global commerce, STIX is the standardized shipping container. Because every intelligence feed uses the exact same JSON container, Security Orchestration (SOAR) cranes can automatically lift, unpack, and route the data without human intervention.

2. The Core STIX Lexicon

To navigate STIX feeds, DFIR analysts and Threat Hunters must be familiar with the most critical objects.

A. STIX Domain Objects (SDOs)

These objects describe the Who, What, and Why of an intrusion.

• threat-actor: The adversary behind the attack (e.g., Initial Access Brokers, APT28).
• campaign: A grouping of malicious activities targeting a specific objective.
• malware: The malicious software used (e.g., Akira Ransomware).
• attack-pattern: A specific TTP, natively mapped to the MITRE ATT&CK framework (e.g., T1059.001 - PowerShell).
• indicator: A highly critical object. It contains a pattern that can be used to detect suspicious activity. It serves as the bridge between technical observables and malicious intent.

B. STIX Cyber-observable Objects (SCOs)

These objects describe the Where and How (the traditional IOCs).

• ipv4-addr / domain-name / url: Network infrastructure.
• file: Host artifacts, containing properties like names and SHA256 hashes.
• process / windows-registry-key: Execution traces.

3. Creating Context via Relationships (SRO)

A single IP address in a vacuum is useless. STIX Relationship Objects (SROs) generate actionable intelligence by connecting dots.

The Semantic Chain:

• The SDO Threat Actor: APT28 → uses → the SDO Malware: DropperX.
• The SDO Malware: DropperX → communicates-with → the SCO Domain-Name: evil-c2.com.
• The SDO Indicator → indicates → the SDO Malware: DropperX (and contains a pattern matching the evil-c2.com domain).

JSON (STIX 2.1 Relationship Example)

stix_relationship.json

{
  "type": "relationship",
  "spec_version": "2.1",
  "id": "relationship--8e461b0a-313d-4c31-901c-6dcb9a567c9c",
  "created": "2026-11-17T10:00:00.000Z",
  "modified": "2026-11-17T10:00:00.000Z",
  "relationship_type": "indicates",
  "source_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
  "target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b"
}

4. DFIR and SOC Operationalization

STIX is not just for intelligence analysts; it is deeply embedded into modern Blue Team operations.

1. Automated Ingestion: Threat Intelligence Platforms (TIP) aggregate STIX data and automatically push the relevant SCOs (hashes, IPs) directly to Endpoint Detection and Response (EDR) agents and firewalls.
2. STIX Patterning: STIX includes a powerful pattern-matching language. A STIX Indicator object contains a pattern string that defines exactly how to find the threat (e.g., [file:hashes.'SHA-256' = '4bac...']). Modern SIEMs automatically translate these STIX patterns into native queries (like KQL or Splunk SPL) for immediate threat hunting.
3. The Transport Layer: Defining the language is only half the battle. To distribute these massive JSON graphs in real-time between organizations and government agencies, the industry relies on a dedicated application-layer protocol. This automated distribution is handled entirely by TAXII (Trusted Automated eXchange of Intelligence Information).

By understanding STIX, incident responders transition from reacting to isolated alerts to understanding the broader campaign, instantly mapping isolated host artifacts to known global threat actors.

---

References & Further Reading

• OASIS Open: STIX 2.1 Specification
• MITRE: Introduction to STIX
• Related Ecosystem: TAXII Protocol & Automated Threat Exchange
• Related Profile: Qilin Ransomware & Threat Intelligence