The structured expression of threat information, or STIX (Structured Threat Information eXpression), is a standardized language developed by MITER and the OASIS Technical Committee on Cyber Threat Information Analysis (CTI) and describing information on cyber threats. It has been adopted as an international standard by various communities and organizations for the exchange of analytical information. This language is intended to be exchanged via TAXII, but can be used in other ways. The STIX language is structured in such a way that users can describe the following threat characteristics: motivation; ability; opportunities; response [1]. There are several basic uses for STIX. First, it is used by threat analysts to analyze cyber threats and threat related activities. Threat analysts also use STIX to identify patterns that may indicate cyber threats. Any decision maker or operational staff can use STIX data to support cyber-threat response actions, including prevention, detection, and response. The latest major application of STIX is the exchange of information about cyber threats within the organization and with external partners or communities that benefit from this information [2]. STIX is designed to support a number of basic use cases related to cyber threat management. In addition, STIX provides a unifying architecture that unites a diverse set of information about cyber threats, including: objects of cyber surveillance; indicators; accidents; tactics, methods and procedures of the enemy (including attack patterns, malware, exploits, chains of destruction, tools, infrastructure); exploit targets (for example, vulnerabilities, weaknesses or configurations); courses of action (for example, incident response or vulnerability / weakness mitigation or mitigation); cyber attacks; actors cyber threats [3]. STIX provides a general mechanism for accessing structured cyber threat information across this range of use cases, improving consistency, efficiency, compatibility, and overall situational awareness.
