Threat intelligence is exponentially more valuable when shared. A single organization sees only the attacks that target it; sharing intelligence across organizations creates collective visibility into adversary operations. However, effective sharing requires common languages, transport mechanisms, and trust frameworks. This lesson covers the major standards, platforms, and protocols that enable structured CTI sharing, along with the organizational and legal considerations that govern it.
Learning Objectives
- Understand the STIX 2.1 data model, including core STIX Domain Objects (SDOs) and STIX Relationship Objects (SROs)
- Explain how TAXII works as a transport protocol for STIX data
- Describe MISP's role as a sharing platform and its relationship to other standards
- Apply the Traffic Light Protocol (TLP) correctly to classify intelligence for sharing
- Navigate the organizational structures (ISACs, ISAOs) and legal considerations involved in CTI sharing
Why Sharing Matters
No organization has complete visibility into the threat landscape. Adversaries reuse infrastructure, malware, and TTPs across victims. When one organization detects an attack and shares the indicators and behavioral details, every organization that receives that intelligence can defend proactively rather than reactively.
The asymmetry in cybersecurity favors the attacker — they need to find one way in, while defenders must protect everything. Sharing intelligence tilts this balance by making each organization's detection a collective defense asset. When a financial institution shares the C2 domains from a phishing campaign, hospitals, government agencies, and technology companies can block those domains before they are targeted.
STIX: Structured Threat Information eXpression
STIX is the dominant standard for representing cyber threat intelligence in a structured, machine-readable format. Developed originally by MITRE and now maintained by the OASIS Cyber Threat Intelligence Technical Committee, STIX 2.1 is the current version.
STIX defines a JSON-based language for expressing cyber threat intelligence. It provides a standardized taxonomy of objects (things you describe) and relationships (how those things connect), enabling automated processing and consistent interpretation across organizations and tools.
STIX Domain Objects (SDOs)
SDOs represent the core intelligence concepts. STIX 2.1 defines 18 SDO types. The most commonly used in CTI sharing include:
| SDO Type | Description | Example |
|---|---|---|
| Attack Pattern | A TTP describing how an adversary operates | Spearphishing Attachment (maps to ATT&CK T1566.001) |
| Campaign | A set of related malicious activities over a time period | Operation Aurora |
| Course of Action | An action to prevent or respond to an attack | Block traffic to known C2 IPs |
| Identity | An individual, organization, or group | A targeted company or sector |
| Indicator | A pattern used to detect suspicious activity | A STIX pattern matching a malicious file hash |
| Infrastructure | Systems and services used by threat actors | C2 servers, bulletproof hosting |
| Intrusion Set | A grouped set of adversary behaviors | APT29's operational pattern |
| Location | A geographic location | Country or region of targeting/origin |
| Malware | A type of malicious software | SUNBURST backdoor |
| Malware Analysis | Results of analyzing a malware instance | Sandbox report findings |
| Note | Additional context for other objects | Analyst commentary on a report |
| Observed Data | Raw observed cyber data | Network traffic logs, file observations |
| Opinion | An analyst's assessment of another object | Agreement/disagreement with a report |
| Report | A collection of intelligence on a topic | A published threat report |
| Threat Actor | An individual or group operating with malicious intent | APT29 / Cozy Bear |
| Tool | Legitimate software used by threat actors | Cobalt Strike, Mimikatz |
| Vulnerability | A software weakness | CVE-2021-44228 (Log4Shell) |
| Grouping | An informal collection of STIX objects | A set of related indicators for analyst review |
STIX Relationship Objects (SROs)
SROs connect SDOs to each other. STIX 2.1 defines two SRO types:
Relationship: Explicitly links two SDOs with a named relationship type. Common relationships include:
- Threat Actor
usesMalware - Malware
targetsVulnerability - Campaign
attributed-toThreat Actor - Indicator
indicatesMalware - Course of Action
mitigatesAttack Pattern
Sighting: Records an instance of an SDO being observed. For example, a Sighting records that an Indicator was seen in your environment, including when, where, and how many times. Sightings are critical for operational sharing — they communicate not just "this indicator exists" but "this indicator was seen in our network on this date."
STIX Patterns
STIX Indicators contain patterns written in the STIX Patterning Language, a domain-specific language for describing observable patterns:
[file:hashes.'SHA-256' = 'abc123...']
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.50']
[email-message:from_ref.value = 'attacker@malicious.example.com']
These patterns are designed to be unambiguous and machine-parseable, enabling automated detection rule generation from shared intelligence.
TAXII: Trusted Automated eXchange of Indicator Information
TAXII is an application-layer protocol for exchanging cyber threat intelligence over HTTPS. It defines how CTI data (typically STIX) is transported between systems, using a client-server model with defined API endpoints.
TAXII is not a data format — it is a transport mechanism. STIX defines what you share; TAXII defines how you move it.
TAXII 2.1 Architecture
TAXII uses two primary services:
- Collections: Server-hosted repositories of CTI objects. Clients can discover available collections, retrieve objects from them, and (if authorized) add objects to them. Collections can be read-only (intelligence feeds) or read-write (community sharing).
- Channels: A publish-subscribe mechanism where producers push data to subscribers. This supports real-time or near-real-time intelligence dissemination.
A typical TAXII workflow:
- A consumer discovers available collections on a TAXII server
- The consumer polls a collection for new STIX objects (or receives push notifications via channels)
- The consumer's TIP ingests the STIX objects for analysis, correlation, and operationalization
- Optionally, the consumer contributes intelligence back to the collection
TAXII servers are operated by ISACs, commercial threat intelligence providers, government organizations (such as CISA's Automated Indicator Sharing program), and individual organizations sharing with trusted partners.
MISP: Malware Information Sharing Platform
MISP is an open-source threat intelligence platform designed for sharing, storing, and correlating IOCs and threat intelligence. Originally developed by the Computer Incident Response Center Luxembourg (CIRCL), MISP has become one of the most widely deployed sharing platforms globally.
Key MISP Capabilities
- Event-based sharing: Intelligence is organized into events, each containing attributes (indicators), objects (structured groupings of attributes), and galaxies (high-level threat context like ATT&CK mappings)
- Correlation engine: MISP automatically correlates attributes across events, helping analysts discover connections between seemingly unrelated incidents
- Taxonomies and tagging: Standardized classification systems including TLP, threat level, and custom organizational tags
- Feeds: MISP can ingest and serve threat intelligence feeds in multiple formats, including STIX and its own native format
- Sharing groups: Fine-grained control over who can see what intelligence, enabling sharing within trust communities
- STIX and TAXII support: MISP can import and export STIX, and can serve as a TAXII server, bridging its native format with the broader ecosystem
OpenIOC
OpenIOC (Open Indicators of Compromise), developed by Mandiant, is an XML-based format for describing technical indicators. While less comprehensive than STIX (it focuses on host-based indicators rather than the full intelligence context), OpenIOC remains relevant because it integrates with Mandiant's widely-used tools and many organizations have existing OpenIOC libraries. Its strength is in describing complex host-based artifact combinations — for example, matching a specific file hash AND a specific registry key AND a specific service name.
Traffic Light Protocol (TLP)
The Traffic Light Protocol is a standardized system for classifying intelligence to indicate sharing boundaries. Maintained by FIRST.org (Forum of Incident Response and Security Teams), TLP uses color-coded designations to communicate how broadly information may be distributed.
TLP Designations (per FIRST.org TLP v2.0)
| Designation | Sharing Scope | Use Case |
|---|---|---|
| TLP:RED | Named recipients only. No further sharing. | Sensitive source information, ongoing operations, or information that could cause significant harm if shared beyond the immediate conversation |
| TLP:AMBER+STRICT | Organization only. No sharing outside the recipient's organization. | Intelligence containing details that could identify sources or methods, restricted to the receiving organization's need-to-know |
| TLP:AMBER | Organization and its clients. Limited sharing on a need-to-know basis within the recipient's organization and its clients/customers. | Actionable intelligence that requires organizational context to apply, shareable with those who need it to act |
| TLP:GREEN | Community sharing. May be shared within the recipient's community but not publicly. | Useful intelligence for awareness within a sector or sharing community, but not appropriate for unrestricted public release |
| TLP:CLEAR | No restrictions. May be shared publicly. | Intelligence intended for broad consumption, such as general advisories, published IOCs, or public awareness content |
Applying TLP Correctly
Common mistakes in TLP usage:
- Over-classifying: Marking everything TLP:AMBER or TLP:RED reduces the pool of shared intelligence and makes it harder for partners to act
- Under-classifying: Sharing source-sensitive information as TLP:GREEN can compromise collection capabilities
- Ignoring TLP on received intelligence: Forwarding TLP:AMBER intelligence to public mailing lists violates the sharing agreement and erodes trust
- Not marking at all: Unmarked intelligence creates ambiguity about sharing permissions; always apply a TLP designation
ISACs and ISAOs
Information Sharing and Analysis Centers (ISACs) are sector-specific organizations that facilitate CTI sharing among members. Established following Presidential Decision Directive 63 (1998), ISACs operate in critical infrastructure sectors:
- Financial Services ISAC (FS-ISAC)
- Health ISAC (H-ISAC)
- Multi-State ISAC (MS-ISAC) for state and local government
- Aviation ISAC (A-ISAC)
- Electricity ISAC (E-ISAC)
- Defense Industrial Base (DIB) sharing programs (through DC3/DCISE)
Information Sharing and Analysis Organizations (ISAOs) are more flexible, cross-sector sharing communities. Executive Order 13691 (2015) encouraged the formation of ISAOs to expand sharing beyond the ISAC model, allowing organizations to form sharing communities around common interests rather than strict sector boundaries.
Trust Groups
Effective sharing requires trust. Trust groups are formed through:
- Formal membership: ISACs with vetted membership, NDAs, and operating agreements
- Bilateral agreements: Direct sharing relationships between two organizations
- Community of interest: Groups formed around shared threats (e.g., organizations targeted by the same threat actor)
- Government programs: Programs like CISA's AIS (Automated Indicator Sharing) provide government-to-private sharing
Trust is built over time through consistent, valuable sharing and responsible handling of received intelligence. A single TLP violation can destroy years of trust-building.
Legal Considerations in Sharing
CTI sharing operates within a legal framework that analysts must understand:
- Cybersecurity Information Sharing Act (CISA, 2015): Provides liability protections for U.S. organizations that share cyber threat indicators and defensive measures in accordance with the Act's requirements, including removal of personally identifiable information (PII)
- GDPR and privacy regulations: European and other privacy regulations may restrict sharing of indicators that contain personal data (e.g., email addresses, IP addresses of individuals)
- Classification and export controls: Government-classified or controlled unclassified information (CUI) has specific handling requirements that govern sharing
- Non-disclosure agreements: Many sharing communities require NDAs that define permitted uses of shared intelligence
- Antitrust considerations: Sharing among competitors must avoid the appearance of collusion; focus sharing on threat intelligence, not business-sensitive information
Key Takeaways
- STIX 2.1 provides the standardized language for expressing CTI through domain objects (SDOs), relationship objects (SROs), and the STIX patterning language
- TAXII is the transport protocol for moving STIX data between systems via collections and channels over HTTPS
- MISP is a widely deployed open-source platform that bridges multiple sharing formats and provides correlation, tagging, and trust group management
- TLP designations (CLEAR, GREEN, AMBER, AMBER+STRICT, RED) must be applied consistently and respected by all parties to maintain sharing trust
- ISACs and ISAOs provide organizational frameworks for sector-specific and cross-sector sharing
- Legal protections exist for sharing (e.g., CISA 2015) but analysts must be aware of privacy regulations and handling requirements
Practical Exercise
- Visit the OASIS STIX 2.1 examples page (or use the STIX 2.1 specification documentation) and examine three example STIX bundles. For each, identify:
- Which SDO types are used
- What relationships connect them
- How indicators are expressed using STIX patterns
- Set up a local MISP instance using the MISP project's virtual machine image (available at https://www.misp-project.org/). Create a test event with at least five attributes (mix of IP addresses, domains, and file hashes), tag it with an appropriate TLP designation, and explore the correlation features.
- Write a one-page sharing policy for a fictional organization that defines:
- What types of intelligence will be shared
- With whom (ISACs, bilateral partners, government)
- What TLP designations will be used for different categories
- How received intelligence will be handled and protected
- Examine a TAXII server's discovery endpoint (CISA provides a public TAXII server) and list the available collections.
Further Reading
- OASIS STIX 2.1 Specification: https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html
- OASIS TAXII 2.1 Specification: https://docs.oasis-open.org/cti/taxii/v2.1/taxii-v2.1.html
- FIRST.org Traffic Light Protocol v2.0: https://www.first.org/tlp/
- MISP Project Documentation: https://www.misp-project.org/documentation/