What are two functions of Taxii in threat intelligence sharing choose two?

As mentioned in a previous article, efficient automation of cyber security requires a standard to describe and a mean to exchange information. The Cyber Threat Intelligence Technical Committee (CTI TC) of the Organization for the Advancement of Structured Information Standards (OASIS) proposes the STIX and TAXII standards to meet both needs. Before joining OASIS in 2015, these two standards (as well as CybOX) were developed at MITRE under the supervision, once again, of the US Department of Homeland Security (DHS), specifically the Office of Cybersecurity and Communications, the National Cybersecurity and Communications Integration Center, and the US-CERT.

STIX

STIX is the acronym for Structured Threat Information eXpression. The name is explicit: it is a standard for expressing information about computer threats in a structured and unambiguous way. Based on JSON, it has the potential to allow automatic information exchange between the many tools used to ensure the security of an organization.

, standardized in July 2017, defines two categories of STIX objects: STIX Domain Objects (SDO) and STIX Relationship Objects (SRO).

For simplicity, SDOs can be seen as the nodes of a graph interconnected by SROs. For example, the following collection, taken from the standard, represents an indicator SDO as well as a malware SDO linked together by a relationship SRO whose relationship_type property is

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

0.

[
  {
    "type": "indicator",
    "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "labels": [
      "malicious-activity"
    ],
    "name": "Poison Ivy Malware",
    "description": "This file is part of Poison Ivy",
    "pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]",
    "valid_from": "2016-01-01T00:00:00Z"
  },
  {
    "type": "relationship",
    "id": "relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:06:37.000Z",
    "modified": "2016-04-06T20:06:37.000Z",
    "relationship_type": "indicates",
    "source_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b"
  },
  {
    "type": "malware",
    "id": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
    "created": "2016-04-06T20:07:09.000Z",
    "modified": "2016-04-06T20:07:09.000Z",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "name": "Poison Ivy"
  }
]

Or as a graph generated by OASIS’ STIX Visualizer:

SDOs: STIX Domain Objects

The STIX 2.0 standard defines twelve :

• [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  1: An approach taken by one (or more) malicious actor to compromise a target;

• [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  2: A collection of hostile behaviors describing a set of malicious activities or attacks targeting a given set of victims over a determined period of time;

• [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  3: An action taken to avoid or respond to an attack;

• [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  4: Individuals, organizations, or groups, as well as classes of individuals, organizations, or groups;
• indicator: Encapsulates a to detect a malicious or suspicious activity;

• [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  6: A set of resources and hostile behaviors suspected to be characteristic of a particular

  [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  7. Unlike a

  [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  2, it is not specific to a set of targets or a period of time.
• malware: Malicious software, also known as malicious code, or malware, which purpose is to compromise the confidentiality, integrity, and/or availability of the victim’s data/systems;

• <stix:Indicators>
      <stix:Indicator id="example:indicator-a932fcc6-e032-176c-126f-cb970a5a1ade" xsi:type='indicator:IndicatorType'  timestamp="2014-02-20T09:00:00.000000Z">
          <indicator:Title>File hash for Poison Ivy variant</indicator:Title>
          <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
          <indicator:Observable id="example:Observable-7d6f87bb-b4cd-42dd-b655-72557e9ea79f">
              <cybox:Object id="example:File-91040dc2-28d8-4925-bfe8-6b50d300afe1">
                  <cybox:Properties xsi:type="FileObj:FileObjectType">
                      <FileObj:Hashes>
                          <cyboxCommon:Hash>
                              <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                              <cyboxCommon:Simple_Hash_Value condition="Equals">ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c</cyboxCommon:Simple_Hash_Value>
                          </cyboxCommon:Hash>
                      </FileObj:Hashes>
                  </cybox:Properties>
              </cybox:Object>
          </indicator:Observable>
          <indicator:Indicated_TTP>
              <stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" />
          </indicator:Indicated_TTP>
      </stix:Indicator>
  </stix:Indicators>
  <stix:TTPs>
      <stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType'  timestamp="2014-02-20T09:00:00.000000Z">
          <ttp:Title>Poison Ivy</ttp:Title>
          <ttp:Behavior>
              <ttp:Malware>
                  <ttp:Malware_Instance id="example:malware-fdd60b30-b67c-11e3-b0b9-f01faf20d111">
                      <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                      <ttp:Name>Poison Ivy</ttp:Name>
                  </ttp:Malware_Instance>
              </ttp:Malware>
          </ttp:Behavior>
      </stix:TTP>
  </stix:TTPs>

  0: Represents information observed on a system or network (e.g., IP address, file, …) as a set of STIX Cyber ​​Observables. Initially the object of a different standard (CybOX), Cyber ​​Observables’ core concepts and objects are now part of STIX.

• <stix:Indicators>
      <stix:Indicator id="example:indicator-a932fcc6-e032-176c-126f-cb970a5a1ade" xsi:type='indicator:IndicatorType'  timestamp="2014-02-20T09:00:00.000000Z">
          <indicator:Title>File hash for Poison Ivy variant</indicator:Title>
          <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
          <indicator:Observable id="example:Observable-7d6f87bb-b4cd-42dd-b655-72557e9ea79f">
              <cybox:Object id="example:File-91040dc2-28d8-4925-bfe8-6b50d300afe1">
                  <cybox:Properties xsi:type="FileObj:FileObjectType">
                      <FileObj:Hashes>
                          <cyboxCommon:Hash>
                              <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                              <cyboxCommon:Simple_Hash_Value condition="Equals">ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c</cyboxCommon:Simple_Hash_Value>
                          </cyboxCommon:Hash>
                      </FileObj:Hashes>
                  </cybox:Properties>
              </cybox:Object>
          </indicator:Observable>
          <indicator:Indicated_TTP>
              <stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" />
          </indicator:Indicated_TTP>
      </stix:Indicator>
  </stix:Indicators>
  <stix:TTPs>
      <stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType'  timestamp="2014-02-20T09:00:00.000000Z">
          <ttp:Title>Poison Ivy</ttp:Title>
          <ttp:Behavior>
              <ttp:Malware>
                  <ttp:Malware_Instance id="example:malware-fdd60b30-b67c-11e3-b0b9-f01faf20d111">
                      <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                      <ttp:Name>Poison Ivy</ttp:Name>
                  </ttp:Malware_Instance>
              </ttp:Malware>
          </ttp:Behavior>
      </stix:TTP>
  </stix:TTPs>

  1: threat intelligence collection in the form of STIX, SDO, and SRO objects that revolves around one or more topics such as description of a malicious actor, malware, or intrusion technique including contextual information. It can reference a report in the classic sense of the term through the

  <stix:Indicators>
      <stix:Indicator id="example:indicator-a932fcc6-e032-176c-126f-cb970a5a1ade" xsi:type='indicator:IndicatorType'  timestamp="2014-02-20T09:00:00.000000Z">
          <indicator:Title>File hash for Poison Ivy variant</indicator:Title>
          <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
          <indicator:Observable id="example:Observable-7d6f87bb-b4cd-42dd-b655-72557e9ea79f">
              <cybox:Object id="example:File-91040dc2-28d8-4925-bfe8-6b50d300afe1">
                  <cybox:Properties xsi:type="FileObj:FileObjectType">
                      <FileObj:Hashes>
                          <cyboxCommon:Hash>
                              <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                              <cyboxCommon:Simple_Hash_Value condition="Equals">ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c</cyboxCommon:Simple_Hash_Value>
                          </cyboxCommon:Hash>
                      </FileObj:Hashes>
                  </cybox:Properties>
              </cybox:Object>
          </indicator:Observable>
          <indicator:Indicated_TTP>
              <stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" />
          </indicator:Indicated_TTP>
      </stix:Indicator>
  </stix:Indicators>
  <stix:TTPs>
      <stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType'  timestamp="2014-02-20T09:00:00.000000Z">
          <ttp:Title>Poison Ivy</ttp:Title>
          <ttp:Behavior>
              <ttp:Malware>
                  <ttp:Malware_Instance id="example:malware-fdd60b30-b67c-11e3-b0b9-f01faf20d111">
                      <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                      <ttp:Name>Poison Ivy</ttp:Name>
                  </ttp:Malware_Instance>
              </ttp:Malware>
          </ttp:Behavior>
      </stix:TTP>
  </stix:TTPs>

  2 property, but it is not an obligation.

• [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  7: Individuals, groups, or organizations suspected of acting maliciously. Unlike

  [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  4 which designates clearly identified actors,

  [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  7 usually refers to malicious actors under a pseudonym. If identified, the SDO

  [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  7 will be attached to an SDO

  [
    {
      "type": "sighting",
      "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:08:31.000Z",
      "modified": "2016-04-06T20:08:31.000Z",
      "first_seen": "2015-12-21T19:00:00Z",
      "last_seen": "2015-12-21T19:00:00Z",
      "count": 50,
      "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
      "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
    },
    {
      "type": "observed-data",
      "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
      "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
      "created": "2016-04-06T19:58:16.000Z",
      "modified": "2016-04-06T19:58:16.000Z",
      "start": "2015-12-21T19:00:00Z",
      "stop": "2016-04-06T19:58:16Z",
      "count": 50,
      "objects": {
        "0": {
          "type": "file",
          ...
        }
      }
    }
  ]

  4 by a relationship SRO with the relationship_type:

  curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
    "title": "CTI TAXII server",
    "description": "This TAXII server contains a listing of ATT&CK
                    domain collections expressed as STIX, including
                    PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                    Mobile.",
    "contact": "[email protected]",
    "default": "https://cti-taxii.mitre.org/stix/",
    "api_roots": [
      "https://cti-taxii.mitre.org/stix/"
    ]
  }

  0. Above all, it allows the specification of certain elements such as the level of resources (

  curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
    "title": "CTI TAXII server",
    "description": "This TAXII server contains a listing of ATT&CK
                    domain collections expressed as STIX, including
                    PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                    Mobile.",
    "contact": "[email protected]",
    "default": "https://cti-taxii.mitre.org/stix/",
    "api_roots": [
      "https://cti-taxii.mitre.org/stix/"
    ]
  }

  1), competences (

  curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
    "title": "CTI TAXII server",
    "description": "This TAXII server contains a listing of ATT&CK
                    domain collections expressed as STIX, including
                    PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                    Mobile.",
    "contact": "[email protected]",
    "default": "https://cti-taxii.mitre.org/stix/",
    "api_roots": [
      "https://cti-taxii.mitre.org/stix/"
    ]
  }

  2) or motivations (

  curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
    "title": "CTI TAXII server",
    "description": "This TAXII server contains a listing of ATT&CK
                    domain collections expressed as STIX, including
                    PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                    Mobile.",
    "contact": "[email protected]",
    "default": "https://cti-taxii.mitre.org/stix/",
    "api_roots": [
      "https://cti-taxii.mitre.org/stix/"
    ]
  }

  3,

  curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
    "title": "CTI TAXII server",
    "description": "This TAXII server contains a listing of ATT&CK
                    domain collections expressed as STIX, including
                    PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                    Mobile.",
    "contact": "[email protected]",
    "default": "https://cti-taxii.mitre.org/stix/",
    "api_roots": [
      "https://cti-taxii.mitre.org/stix/"
    ]
  }

  4, and

  curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
    "title": "CTI TAXII server",
    "description": "This TAXII server contains a listing of ATT&CK
                    domain collections expressed as STIX, including
                    PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                    Mobile.",
    "contact": "[email protected]",
    "default": "https://cti-taxii.mitre.org/stix/",
    "api_roots": [
      "https://cti-taxii.mitre.org/stix/"
    ]
  }

  5);

• curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
    "title": "CTI TAXII server",
    "description": "This TAXII server contains a listing of ATT&CK
                    domain collections expressed as STIX, including
                    PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                    Mobile.",
    "contact": "[email protected]",
    "default": "https://cti-taxii.mitre.org/stix/",
    "api_roots": [
      "https://cti-taxii.mitre.org/stix/"
    ]
  }

  6: Legitimate software that may have malicious use (e.g., RDP, Nmap, …);

• curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
    "title": "CTI TAXII server",
    "description": "This TAXII server contains a listing of ATT&CK
                    domain collections expressed as STIX, including
                    PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                    Mobile.",
    "contact": "[email protected]",
    "default": "https://cti-taxii.mitre.org/stix/",
    "api_roots": [
      "https://cti-taxii.mitre.org/stix/"
    ]
  }

  7: An error in software whose exploitation may allow illegitimate access to a system or network.

Some SDO properties take the form of unstructured textual data. Others can take their value in one of the defined by the standard to facilitate interoperability and automated use of intelligence.

For example, the skill level of a

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

7 can take these values:

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
  "title": "CTI TAXII server",
  "description": "This TAXII server contains a listing of ATT&CK
                  domain collections expressed as STIX, including
                  PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                  Mobile.",
  "contact": "[email protected]",
  "default": "https://cti-taxii.mitre.org/stix/",
  "api_roots": [
    "https://cti-taxii.mitre.org/stix/"
  ]
}

9,

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

0,

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

1,

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

2,

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

3,

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

4, or

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

5. The meaning of these values is defined in the .

Another example: a malware must be characterized via the property

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

7 by taking at least one of:

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

8,

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

9,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

0,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

1,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

2,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

3,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

4,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

5,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

6,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

7,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

8,

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

9, indicator0, indicator1, indicator2, indicator3, indicator4. Of course, one can choose another value but there are no guarantees that it is going to be understood by third party tools.

SROs: STIX Relationship Objects

The standard also defines two : relationship and indicator6. The relationship SRO is used to link two SDOs and describe their relationship via the relationship_type property as already discussed with the

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

0 and

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
  "title": "CTI TAXII server",
  "description": "This TAXII server contains a listing of ATT&CK
                  domain collections expressed as STIX, including
                  PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                  Mobile.",
  "contact": "[email protected]",
  "default": "https://cti-taxii.mitre.org/stix/",
  "api_roots": [
    "https://cti-taxii.mitre.org/stix/"
  ]
}

0 types for example. Let us pause for a second and note that STIX defines a STIX Relationship Objects (SRO) class that contains object named relationship having one property named relationship_type.

The other SRO, indicator6, expresses the suspicion that a CTI (Cyber Threat Intelligence) element has been seen (e.g., indicator, malware). Unlike the relationship SRO, it can be linked to one or more SDOs. In its minimal form it indicates the sighted SDO, but can also specify the concretely observed-data on which the suspicion is based (

<stix:Indicators>
    <stix:Indicator id="example:indicator-a932fcc6-e032-176c-126f-cb970a5a1ade" xsi:type='indicator:IndicatorType'  timestamp="2014-02-20T09:00:00.000000Z">
        <indicator:Title>File hash for Poison Ivy variant</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7d6f87bb-b4cd-42dd-b655-72557e9ea79f">
            <cybox:Object id="example:File-91040dc2-28d8-4925-bfe8-6b50d300afe1">
                <cybox:Properties xsi:type="FileObj:FileObjectType">
                    <FileObj:Hashes>
                        <cyboxCommon:Hash>
                            <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                            <cyboxCommon:Simple_Hash_Value condition="Equals">ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c</cyboxCommon:Simple_Hash_Value>
                        </cyboxCommon:Hash>
                    </FileObj:Hashes>
                </cybox:Properties>
            </cybox:Object>
        </indicator:Observable>
        <indicator:Indicated_TTP>
            <stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" />
        </indicator:Indicated_TTP>
    </stix:Indicator>
</stix:Indicators>
<stix:TTPs>
    <stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType'  timestamp="2014-02-20T09:00:00.000000Z">
        <ttp:Title>Poison Ivy</ttp:Title>
        <ttp:Behavior>
            <ttp:Malware>
                <ttp:Malware_Instance id="example:malware-fdd60b30-b67c-11e3-b0b9-f01faf20d111">
                    <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                    <ttp:Name>Poison Ivy</ttp:Name>
                </ttp:Malware_Instance>
            </ttp:Malware>
        </ttp:Behavior>
    </stix:TTP>
</stix:TTPs>

0) as well as the victims (

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

4) having seen the SDO. In the form of a graph, this SRO is generally represented by a node like an SDO for instance. However the value of a indicator6 does not rest in the indicator6 itself but in the relationship between the sighted SDO, the observed data and the victims. Its classification as an SRO is therefore well justified.
The following collection, also from the standard, completes the previous example with indicator6 and

<stix:Indicators>
    <stix:Indicator id="example:indicator-a932fcc6-e032-176c-126f-cb970a5a1ade" xsi:type='indicator:IndicatorType'  timestamp="2014-02-20T09:00:00.000000Z">
        <indicator:Title>File hash for Poison Ivy variant</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7d6f87bb-b4cd-42dd-b655-72557e9ea79f">
            <cybox:Object id="example:File-91040dc2-28d8-4925-bfe8-6b50d300afe1">
                <cybox:Properties xsi:type="FileObj:FileObjectType">
                    <FileObj:Hashes>
                        <cyboxCommon:Hash>
                            <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                            <cyboxCommon:Simple_Hash_Value condition="Equals">ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c</cyboxCommon:Simple_Hash_Value>
                        </cyboxCommon:Hash>
                    </FileObj:Hashes>
                </cybox:Properties>
            </cybox:Object>
        </indicator:Observable>
        <indicator:Indicated_TTP>
            <stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" />
        </indicator:Indicated_TTP>
    </stix:Indicator>
</stix:Indicators>
<stix:TTPs>
    <stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType'  timestamp="2014-02-20T09:00:00.000000Z">
        <ttp:Title>Poison Ivy</ttp:Title>
        <ttp:Behavior>
            <ttp:Malware>
                <ttp:Malware_Instance id="example:malware-fdd60b30-b67c-11e3-b0b9-f01faf20d111">
                    <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                    <ttp:Name>Poison Ivy</ttp:Name>
                </ttp:Malware_Instance>
            </ttp:Malware>
        </ttp:Behavior>
    </stix:TTP>
</stix:TTPs>

0.

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

Comparison with version 1.x

Consider the equivalent of our first example in the STIX 1.2 documentation:

<stix:Indicators>
    <stix:Indicator id="example:indicator-a932fcc6-e032-176c-126f-cb970a5a1ade" xsi:type='indicator:IndicatorType'  timestamp="2014-02-20T09:00:00.000000Z">
        <indicator:Title>File hash for Poison Ivy variant</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7d6f87bb-b4cd-42dd-b655-72557e9ea79f">
            <cybox:Object id="example:File-91040dc2-28d8-4925-bfe8-6b50d300afe1">
                <cybox:Properties xsi:type="FileObj:FileObjectType">
                    <FileObj:Hashes>
                        <cyboxCommon:Hash>
                            <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                            <cyboxCommon:Simple_Hash_Value condition="Equals">ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c</cyboxCommon:Simple_Hash_Value>
                        </cyboxCommon:Hash>
                    </FileObj:Hashes>
                </cybox:Properties>
            </cybox:Object>
        </indicator:Observable>
        <indicator:Indicated_TTP>
            <stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" />
        </indicator:Indicated_TTP>
    </stix:Indicator>
</stix:Indicators>
<stix:TTPs>
    <stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType'  timestamp="2014-02-20T09:00:00.000000Z">
        <ttp:Title>Poison Ivy</ttp:Title>
        <ttp:Behavior>
            <ttp:Malware>
                <ttp:Malware_Instance id="example:malware-fdd60b30-b67c-11e3-b0b9-f01faf20d111">
                    <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                    <ttp:Name>Poison Ivy</ttp:Name>
                </ttp:Malware_Instance>
            </ttp:Malware>
        </ttp:Behavior>
    </stix:TTP>
</stix:TTPs>

The first obvious difference is the use of XML in this version while version 2 uses JSON. We note then that the relationship between the hash and the malware is not an object in itself in version 1, but included in the indicator. This indicator is also not a top-level object since it is encapsulated in a relationship3. As for the malware, it is located even more deeply in the hierarchy. Moreover, the pattern is expressed here in XML, while the pattern in version 2 uses a specific language.

All this contributes to the OASIS CTI TC simplification and rationalization effort, sometimes to the detriment of the accuracy and expressiveness of the language. However this expressiveness was not really exploited and only a subset of STIX 1.x was actually used with a common understanding.

In addition to the lack of SRO equivalents in STIX 1, there are similarities in STIX 2.0 SDOs and STIX 1 components. Report, campaign, course of action, indicator, and threat actor are present in both standards. Exploit target in STIX 1.x is close to

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
  "title": "CTI TAXII server",
  "description": "This TAXII server contains a listing of ATT&CK
                  domain collections expressed as STIX, including
                  PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                  Mobile.",
  "contact": "[email protected]",
  "default": "https://cti-taxii.mitre.org/stix/",
  "api_roots": [
    "https://cti-taxii.mitre.org/stix/"
  ]
}

7 in STIX 2.0, and TTP (Tactics, Techniques, and Procedures) includes, among others,

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

1 and malware. STIX 2.0 also defines

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

4,

<stix:Indicators>
    <stix:Indicator id="example:indicator-a932fcc6-e032-176c-126f-cb970a5a1ade" xsi:type='indicator:IndicatorType'  timestamp="2014-02-20T09:00:00.000000Z">
        <indicator:Title>File hash for Poison Ivy variant</indicator:Title>
        <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
        <indicator:Observable id="example:Observable-7d6f87bb-b4cd-42dd-b655-72557e9ea79f">
            <cybox:Object id="example:File-91040dc2-28d8-4925-bfe8-6b50d300afe1">
                <cybox:Properties xsi:type="FileObj:FileObjectType">
                    <FileObj:Hashes>
                        <cyboxCommon:Hash>
                            <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                            <cyboxCommon:Simple_Hash_Value condition="Equals">ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c</cyboxCommon:Simple_Hash_Value>
                        </cyboxCommon:Hash>
                    </FileObj:Hashes>
                </cybox:Properties>
            </cybox:Object>
        </indicator:Observable>
        <indicator:Indicated_TTP>
            <stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" />
        </indicator:Indicated_TTP>
    </stix:Indicator>
</stix:Indicators>
<stix:TTPs>
    <stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType'  timestamp="2014-02-20T09:00:00.000000Z">
        <ttp:Title>Poison Ivy</ttp:Title>
        <ttp:Behavior>
            <ttp:Malware>
                <ttp:Malware_Instance id="example:malware-fdd60b30-b67c-11e3-b0b9-f01faf20d111">
                    <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                    <ttp:Name>Poison Ivy</ttp:Name>
                </ttp:Malware_Instance>
            </ttp:Malware>
        </ttp:Behavior>
    </stix:TTP>
</stix:TTPs>

0, and

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
  "title": "CTI TAXII server",
  "description": "This TAXII server contains a listing of ATT&CK
                  domain collections expressed as STIX, including
                  PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                  Mobile.",
  "contact": "[email protected]",
  "default": "https://cti-taxii.mitre.org/stix/",
  "api_roots": [
    "https://cti-taxii.mitre.org/stix/"
  ]
}

6 that have equivalents in STIX 1.x but not as first-level components, as well as

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

6 that has no direct equivalent. On the other hand, the incident component in STIX 1.x has no real equivalent in STIX 2.0.

Both standards remain sufficiently similar and it is usually possible to convert documents from one to the other:

• stix2-elevator converts STIX 1.x XML into STIX 2.0 JSON;
• stix-slider performs the reverse operation.

However the CTI TC warns that the conversion is not perfect and that difficulties may arise, especially for the conversion 1.x to 2.0.

TAXII

TAXII, or Trusted Automated Exchange of Intelligence Information, is an intelligence exchange protocol over HTTPS. The standard defines a set of requirements for clients/servers and a REST API to interact with two types of services:

• Collection: An interface to a server-provided repository of objects that allows a producer to serve consumers in a request-response template;
• Channel: allows the exchange of information according to a publish-subscribe model.

In reality, the channel service is not yet standardized and the term is only reserved for the moment.

The search for information on a TAXII server can proceed as follows:

1. A GET request on the relationship_type1 resource to obtain a list of URLs identifying API roots, relationship_type2;
2. A GET request on the resource relationship_type3 to obtain the identifiers of the collections served by an relationship_type4;
3. A GET request on the resource relationship_type5 to obtain the objects respecting a certain filter.

It is possible to restrict this last request to objects published after a certain date and filter them by identifier, type, or version. Indeed, STIX has a rudimentary version management system via the relationship_type6 property.

As an example, let us interact with one of :

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/taxii/{
  "title": "CTI TAXII server",
  "description": "This TAXII server contains a listing of ATT&CK
                  domain collections expressed as STIX, including
                  PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
                  Mobile.",
  "contact": "[email protected]",
  "default": "https://cti-taxii.mitre.org/stix/",
  "api_roots": [
    "https://cti-taxii.mitre.org/stix/"
  ]
}

In this case, there is only one api root, we can retrieve the collections it serves:

curl -H "Accept: application/vnd.oasis.taxii+json" https://cti-taxii.mitre.org/stix/collections/{
  "collections": [
    {
      "id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
      "title": "Enterprise ATT&CK",
      "description": "This data collection holds STIX objects from
                      Enterprise ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "062767bd-02d2-4b72-84ba-56caef0f8658",
      "title": "PRE-ATT&CK",
      "description": "This data collection holds STIX objects from
                      PRE-ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    },
    {
      "id": "2f669986-b40b-4423-b720-4396ca6a462b",
      "title": "Mobile ATT&CK",
      "description": "This data collection holds STIX objects from
                      Mobile ATT&CK",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/vnd.oasis.stix+json; version=2.0"
      ]
    }
  ]
}

We can now request objects from any of those collections. As an example, the following command retrieves one malware SDO from the first collection (we updated the media type for this one and are not requesting taxii anymore):

curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
  "type": "bundle",
  "id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
  "spec_version": "2.0",
  "objects": [
    {
      "external_references": [
        {
          "external_id": "S0369",
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/software/S0369"
        },
        {
          "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
          "source_name": "CoinTicker 2019",
          "description": "Thomas Reed. (2018, October 29). Mac
                          cryptocurrency ticker app installs
                          backdoors. Retrieved April 23, 2019."
        }
      ],
      "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "modified": "2019-04-29T21:19:34.739Z",
      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
      "name": "CoinTicker",
      "created": "2019-04-23T18:41:36.914Z",
      "labels": [
        "malware"
      ],
      "type": "malware",
      "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
      "x_mitre_contributors": [
        "Richie Cyrus, SpecterOps"
      ],
      "x_mitre_aliases": [
        "CoinTicker"
      ],
      "x_mitre_platforms": [
        "macOS"
      ],
      "x_mitre_version": "1.0"
    }
  ]
}

Note that if STIX and TAXII are the result of a common effort, and although a TAXII server must be able to handle STIX, these two standards remain independent. It is possible to exchange STIX information without TAXII, and a TAXII server can also handle other intelligence formats.

Conclusion

To be more effective, information sharing on cyber threats must be done within a large community according to a clear standard to facilitate automation. STIX/TAXII focus on the essentials and build on existing technologies to accelerate their adoption. Aware of the limitations of its standards, OASIS CTI TC is already working on version 2.1 which introduces three new SDOs: relationship_type8, relationship_type9, and

[
  {
    "type": "sighting",
    "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:08:31.000Z",
    "modified": "2016-04-06T20:08:31.000Z",
    "first_seen": "2015-12-21T19:00:00Z",
    "last_seen": "2015-12-21T19:00:00Z",
    "count": 50,
    "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
    "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
  },
  {
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "start": "2015-12-21T19:00:00Z",
    "stop": "2016-04-06T19:58:16Z",
    "count": 50,
    "objects": {
      "0": {
        "type": "file",
        ...
      }
    }
  }
]

00. Meanwhile, it remains possible to introduce custom objects and properties.

Which two capabilities does taxii support choose two?

What is Taxii used for?

What is a taxii server?

How widely Stix and Taxii are used?