Trusted Automated eXchange of Indicator Information — TAXII™

Enabling Cyber Threat Information Exchange

TAXII defines a set of services and message exchanges that, when implemented,
TAXII and STIX
enable sharing of actionable cyber threat information across organization and
TAXII is the preferred
product/service boundaries. TAXII, through its member specifications, defines
method of exchanging infor-
concepts, protocols, and message exchanges to exchange cyber threat information
mation represented using the
for the detection, prevention, and mitigation of cyber threats. TAXII is not a specific
Structured Threat Information
information sharing initiative or application and does not attempt to define trust
Expression (STIX™) language,
agreements, governance, or other non-technical aspects of cyber threat information
enabling organizations to
sharing. Instead, TAXII empowers organizations to achieve improved situational
share structured cyber threat
awareness about emerging threats, and enables organizations to easily share the
information in a secure and
information they choose with the partners they choose.
automated manner.
TAXII use cases include:
■■ Public Alerts or Warnings

■■ Private Alerts and Reports

Challenge Solution
The gathering and use of detailed cyber intelligence is the best TAXII fills this void. The TAXII services and message ex-
defense against today’s determined cyber adversaries. “Cyber changes are designed to enhance interoperability of different
intelligence” — or the collecting, analyzing, and countering of cyber security solutions and vendors are encouraged to incor-
cyber security threat information — starts with gathering infor- porate support for TAXII within their cyber security products
mation about attacks, such as spear-phishing email header and and services. By supporting TAXII, vendors enhance the value of
content, urls to malicious links, and malware analysis-derived their solutions by allowing their customers to leverage actionable
artifacts like Command and Control (C2) domain names and IP intelligence from multiple sources.
addresses. With a corpus of threat data, skilled cyber analysts TAXII’s goal is to help add automation to the processes of
can group patterns of similar activity, attribute activity to certain existing cyber threat information sharing communities and to
threat actors, quickly identify and implement mitigation strate- help establish new communities of sharing by simplifying the
gies, and anticipate the launch of similar attacks in the future. technical aspects of cyber threat information exchange. It is
To fully realize the benefits of cyber intelligence, organizations recognized that sharing communities are highly diverse and can-
need to share cyber threat data, if not defensive strategies and not be reduced to a single sharing model. For this reason, TAXII
more, with trusted partners. Current cyber threat information uses a modular design that can accommodate a wide array of
sharing, however, is often either a time-consuming, manual pro- sharing models. Individual services in TAXII are optional for any
cess or a limited-scope automation effort tied to particular cyber given implementation, allowing enterprises to include only the
threat information sharing community or technology. services desired for their particular sharing model.

TAXII is a U.S. Department of Homeland Security–led effort of the office of Cybersecurity and Communications. MITRE,
TM
operating as DHS’s FFRDC, manages the TAXII website, community engagement, and discussion lists to enable open and
public collaboration with all stakeholders.
taxii.mitre.org
 Sharing models supported by TAXII include (but are not lim- Lightweight, Non-Disruptive
ited to): Design
Source-Subscriber Existing sharing communities often have established an in-
A single entity publishes information out to a group of con- frastructure for storing and managing threat information. TAXII
sumers. This is a common is designed to enable the exchange of this information without
model in commercial envi- impacting existing data management infrastructure. TAXII defines
ronments, where the data network-level messages and services, but does not impose signifi-
source is a vendor and the cant requirements on behavior below the network layer. As such,
subscribers purchase access TAXII is intended to be layered on top of existing data manage-
to the vendor’s informa- ment schemes with minimal disruption. For similar reasons,
tion. This is also a common enterprises without existing infrastructure are free to use their own
model for free alerts from some authoritative source. favored data management schemes, confident that such schemes
can integrate with TAXII services and messages.
Peer-to-Peer
Cyber threat information is frequently sensitive and organiza-
A group of data producers tions may be highly selective as to what information is shared
and data consumers establish with specific parties. The information that factors in to such
direct relationships with each decisions can vary from organization to organization. Rather
other. The group may have than attempting to standardize such behavior, TAXII focuses on
a single governing policy, ensuring secure transport of the information over the wire and
but all sharing exchanges are leaves decisions as to what is shared with whom to the back-end
between individuals. infrastructure of the enterprise. TAXII imposes no requirements
Hub-and-Spoke or limits on sharing decisions and allows organizations to decide
what information is visible to individual requesters using their
A group of data producers and consumers share information
native decision processes.
with each other, but instead of
TAXII leverages existing protocols and specifications wherever
sending directly, the informa-
possible. The TAXII core services are designed in a fashion that is
tion is sent to a central hub,
neutral with regard to network protocols and data formats. TAXII
which then handles dissemi-
defines bindings to specific network protocols and data formats
nation to all the other spokes
separately from the core services. Implementers can select the
as appropriate. This model
bindings they wish to use or even define their own. Because all
can be viewed as being similar
bindings share the same understanding of the TAXII services
to e-mail distribution lists, where a sender provides a message to
and messages a party that can only support a very constrained
a mailing-list service, which then forwards the message on to all
set of protocols or formats can still make use of the services and
the members of the list.
messages of TAXII, and thus would have a window for receiving
Push or Pull Sharing threat information from a significantly larger set of sources.
TAXII supports both push and pull messaging in all models,
allowing sharing scenarios where data consumers are automati- Feedback Requested
cally provided with new data, or where the consumer can request TAXII Community members can make contributions to TAXII
updates at times of their choosing. Data producers in a TAXII development and manage issue tracking for the TAXII specifica-
architecture can choose whether data consumers can pull data tions, schemas, and supporting information by joining the TAXII
from the producer, whether data is pushed from the producer, or Community at https://taxii.mitre.org/community/. Members of
whether a mixture of the two methods is supported. the cyber security community are invited to participate in this
growing community effort.

MITRE Learn More – https://taxii.mitre.org