This chapter covers Threat Intelligence Platforms (TIPs) and the STIX/TAXII standards, which are foundational for structured threat intelligence sharing in modern security operations. For the CS0-003 exam, approximately 8-12% of questions in Domain 4 (Reporting and Communication) touch on threat intelligence concepts, including TIPs, STIX, and TAXII. You will be tested on the purpose, components, and relationships between these technologies, as well as how they enable automated consumption of threat intelligence. Mastering this chapter ensures you can answer scenario-based questions about integrating external threat feeds into a SOC workflow.
Jump to a section
Imagine a global intelligence-sharing consortium where every member agency has its own secure library. When a field agent discovers a new threat—say, a unique fingerprint left by a spy—the agent writes a detailed report using a standardized form called a STIX report. This form has fields for the threat's indicators (e.g., a suspicious phone number), its context (e.g., the spy's alias), and relationships (e.g., which other spies used that number). The agent files the report in the local library. Now, other agencies need to know about this threat. They subscribe to a courier service called TAXII. Each agency's library has a mailroom that can send and receive bundles of reports via TAXII. The courier service works on a push-pull model: some agencies push reports out to all subscribers (like a newsletter), while others pull reports on demand (like requesting a specific file). The reports are encrypted and authenticated so only trusted libraries can read them. When a new report arrives, the receiving library's catalogers parse the STIX fields and update their threat database automatically. The key is that STIX provides the universal language for describing threats, while TAXII provides the secure, standardized transport. Without STIX, each agency would use its own format, causing confusion. Without TAXII, they would have to manually exchange files via email or FTP, risking delays and errors. The CompTIA CySA+ exam expects you to understand that STIX is the language and TAXII is the delivery system—they work together but are separate standards managed by OASIS.
What Are Threat Intelligence Platforms (TIPs)?
A Threat Intelligence Platform (TIP) is a centralized system that aggregates, correlates, and analyzes threat data from multiple sources—both internal (e.g., past incident indicators) and external (e.g., commercial feeds, open-source intelligence). The TIP normalizes this data into a common format, enriches it with context (e.g., geolocation, reputation scores), and enables analysts to prioritize threats. For the CS0-003 exam, understand that TIPs are not just aggregators; they provide a single pane of glass for threat intelligence lifecycle management: collection, processing, analysis, and dissemination.
Key functions of a TIP: - Aggregation: Collects data from various feeds (STIX/TAXII, CSV, APIs). - Normalization: Converts different formats into a standard schema (often STIX). - Enrichment: Adds context like WHOIS data, passive DNS, sandbox reports. - Correlation: Links related indicators (e.g., same IP used in multiple campaigns). - Sharing: Disseminates intelligence to security tools (SIEM, firewall, EDR) via APIs or feeds.
What Are STIX and TAXII?
STIX (Structured Threat Information Expression) is a standardized language for describing cyber threat intelligence. It uses a JSON-based schema (though XML is also supported) to represent threat information in a machine-readable format. STIX is developed by OASIS (Organization for the Advancement of Structured Information Standards). The current version is STIX 2.1 (as of CS0-003 objectives).
TAXII (Trusted Automated eXchange of Indicator Information) is a protocol for exchanging STIX data over HTTPS. TAXII defines how threat intelligence can be shared via services and collections. Like STIX, it is an OASIS standard. TAXII 2.1 is the current version.
Core components of STIX:
- Indicators: Patterns that represent observable phenomena (e.g., an IP address, a file hash).
- Observables: The actual data points (e.g., "type": "ipv4-addr", "value": "198.51.100.1").
- Sightings: Evidence that an indicator was observed in the wild.
- Campaigns: Sets of malicious activities with a common goal.
- Threat Actors: Individuals or groups behind attacks.
- Attack Patterns: TTPs (Tactics, Techniques, and Procedures) often mapped to MITRE ATT&CK.
- Courses of Action: Remediation steps.
- Relationships: Links between objects (e.g., an indicator is used by a threat actor).
Core components of TAXII:
- API Root: Base URL for a TAXII server (e.g., https://taxii.example.com/api/v2/).
- Collections: Repositories of STIX objects. Each collection has a unique ID.
- Channels: For publish-subscribe patterns (push).
- Status: Endpoints to check the status of a request (e.g., whether a STIX bundle was processed).
How STIX/TAXII Work Internally
STIX Object Structure: Every STIX object has a type field (e.g., indicator, threat-actor), an id (UUID), and created/modified timestamps in ISO 8601 format. Indicators have a pattern field using STIX Pattern Language (e.g., [ipv4-addr:value = '198.51.100.1']). Objects can be bundled in a bundle object for transport.
TAXII Communication: TAXII uses RESTful APIs over HTTPS. Common operations:
- GET /api/v2/collections/ - List available collections.
- GET /api/v2/collections/{id}/objects/ - Retrieve objects from a collection.
- POST /api/v2/collections/{id}/objects/ - Add objects to a collection.
- GET /api/v2/collections/{id}/objects/{object_id}/ - Get a specific object.
TAXII supports two sharing models: - Pull: A consumer queries the TAXII server for new data (e.g., periodic polling). - Push: The TAXII server sends data to subscribers via channels (requires a channel endpoint).
Integration with TIP: A TIP typically acts as a TAXII client, pulling from external TAXII servers (e.g., from an ISAC) or pushing to internal tools. The TIP normalizes incoming STIX into its internal database, then can re-export as STIX for other systems.
Key Defaults and Values
STIX uses UUIDv4 for object IDs.
Timestamps must be in UTC with Z suffix (e.g., 2024-01-15T12:00:00Z).
Indicator patterns use square brackets and colon-separated fields (e.g., [file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']).
TAXII API root path typically ends with /api/v2/.
Default port for TAXII is 443 (HTTPS).
Authentication can be via API keys, OAuth2, or mutual TLS.
Configuration and Verification Commands
While TIPs and TAXII are not typically configured via command line, a security engineer might use curl to test a TAXII endpoint:
# List collections on a TAXII server
curl -H "Authorization: Bearer <token>" https://taxii.example.com/api/v2/collections/
# Get objects from a specific collection
curl -H "Authorization: Bearer <token>" https://taxii.example.com/api/v2/collections/{id}/objects/
# Poll for new indicators since a timestamp
curl -H "Authorization: Bearer <token>" "https://taxii.example.com/api/v2/collections/{id}/objects/?added_after=2024-01-01T00:00:00Z"In a TIP, you might configure a feed source with:
URL: TAXII API root
Collection ID: target collection
Authentication: API key or certificate
Poll interval: e.g., 15 minutes
Interaction with Related Technologies
SIEM: TIPs feed indicators to SIEMs via STIX or API, enabling correlation of logs with threat intelligence.
Firewall/IPS: TIPs can push indicators (e.g., malicious IPs) to network devices via APIs or STIX-to-PaloAlto converters.
EDR: Endpoint detection tools consume STIX indicators to block file hashes or processes.
MITRE ATT&CK: STIX attack patterns often map to ATT&CK techniques (e.g., attack-pattern--...).
ISACs: Information Sharing and Analysis Centers (e.g., FS-ISAC) commonly use STIX/TAXII to share intelligence among members.
Exam-Relevant Details
STIX and TAXII are separate standards; STIX defines the data format, TAXII defines the transport.
STIX uses a domain model with objects and relationships.
TAXII is built on RESTful APIs over HTTPS.
The OASIS Cyber Threat Intelligence (CTI) TC maintains both standards.
STIX 2.1 introduced new object types like grouping and infrastructure.
TAXII 2.1 is backward-compatible with 2.0.
Common exam scenario: An organization wants to automate sharing of IOCs with partners. The solution is to implement STIX/TAXII.
Trap: Confusing STIX with TAXII—e.g., choosing a TAXII solution when the question is about data format.
For the exam, remember that TIPs often act as both consumers and producers of STIX/TAXII, and they are central to a structured threat intelligence program.
Identify Intelligence Requirements
Before any platform is deployed, the SOC team defines what intelligence they need—e.g., IPs of known C2 servers, hashes of ransomware samples, or phishing domains. This step aligns with the CS0-003 objective of understanding threat intelligence sources and requirements. In a TIP, these requirements are configured as collection criteria or feed filters. For example, the team may subscribe only to collections tagged 'high confidence' or 'critical infrastructure'.
Configure TIP and TAXII Sources
The TIP is set up with connections to external TAXII servers. Each source requires the API root URL, collection ID(s), and authentication credentials (API key or certificate). The TIP may also be configured to pull at regular intervals (e.g., every 10 minutes). On the exam, know that TAXII uses HTTPS and that collections are the primary containers for STIX objects.
Ingest STIX Objects via TAXII
The TIP sends a GET request to the TAXII server's objects endpoint, optionally with filters like `added_after` to get only new data. The server responds with a STIX bundle (JSON). The TIP parses the bundle, extracting each object (indicators, threat actors, etc.) and storing them in its internal database. This step demonstrates the TAXII pull model.
Normalize and Enrich Intelligence
The TIP normalizes the ingested STIX objects into its own schema, then enriches them with additional context. For example, an IP indicator might be enriched with geolocation, ASN, and reputation score from a third-party service. The enriched data is stored and linked to related objects (e.g., the IP belongs to a campaign). This step is critical for the CS0-003 exam as it highlights the value of a TIP beyond simple aggregation.
Disseminate to Security Tools
The TIP exports indicators to downstream tools (SIEM, firewall, EDR) via APIs or STIX bundles. For instance, it might push a list of malicious hashes to the EDR via a custom integration. The TIP can also act as a TAXII server itself, allowing other systems to pull intelligence. This step ties into the 'Reporting and Communication' domain, as it involves automated sharing of threat data.
Enterprise Scenario 1: Financial ISAC Threat Sharing
A large bank is a member of the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC operates a TAXII server that shares indicators of compromise (IOCs) related to financial malware. The bank deploys a commercial TIP (e.g., Anomali ThreatStream) to subscribe to the FS-ISAC TAXII feed. The TIP is configured with the FS-ISAC TAXII API root and collection ID, using an API key for authentication. Every 5 minutes, the TIP pulls new STIX objects. The TIP enriches each IP indicator with internal risk scoring and then pushes high-confidence IOCs to the bank's SIEM (Splunk) via a syslog-like integration. This setup automates the ingestion of threat intelligence, reducing manual analysis time. A common pitfall is misconfiguring the added_after filter, causing duplicate ingestion; the solution is to store the last successful poll timestamp in the TIP.
Enterprise Scenario 2: Government SOC with Multisource Integration
A national CSIRT (Computer Security Incident Response Team) operates a TIP that aggregates feeds from multiple sources: open-source feeds (e.g., AlienVault OTX via TAXII), commercial feeds (e.g., Recorded Future via API), and internal incident data. The TIP normalizes all data into STIX 2.1 objects. Analysts use the TIP's dashboard to search for indicators related to specific threat actors. The TIP also publishes a curated feed back to partner agencies via its own TAXII server. Performance considerations: the TIP must handle millions of indicators; indexing and deduplication are critical. A misconfiguration example: setting the TAXII push channel to broadcast all indicators without filtering, overwhelming partner systems. The solution is to use collections with specific access controls and filtering rules.
Scenario 3: MSSP Providing Threat Intel to Clients
A Managed Security Service Provider (MSSP) uses a TIP to centralize intelligence from its own research and third-party feeds. The MSSP then offers threat intelligence as a service to clients. Each client gets a dedicated TAXII collection on the MSSP's TAXII server. The MSSP's TIP pushes client-specific STIX bundles to each collection. Clients' on-premise TIPs or SIEMs pull from their respective collections. This architecture requires careful access control—each client must only see their own collection. A common failure is using a single API key for all clients; the fix is to use separate API keys per collection. Scalability: the TAXII server must handle concurrent pulls from hundreds of clients; load balancing and caching are often necessary.
What CS0-003 Tests on This Topic
The exam objectives under Domain 4 (Reporting and Communication) include: - 4.3: Explain the importance of communication during the incident response process. - Sub-objectives related to threat intelligence sharing: understanding TIPs, STIX, TAXII, and how they facilitate communication.
Specifically, the exam expects you to:
Distinguish between STIX and TAXII.
Identify the purpose of a TIP.
Recognize scenarios where STIX/TAXII would be used.
Understand the role of TIPs in aggregating and normalizing threat data.
Common Wrong Answers and Why Candidates Choose Them
Confusing STIX and TAXII: A question might describe a scenario about sharing IOCs and ask which standard to use. The wrong answer is often 'TAXII' when the question is about the format (STIX) or vice versa. Candidates fail to remember that STIX is the language, TAXII is the transport.
Thinking TIPs are only for external feeds: Some questions imply that a TIP is only for aggregating external threat intelligence. The correct understanding is that TIPs also handle internal data (e.g., past incident IOCs). Candidates might choose an answer that says 'TIPs only ingest external feeds'—this is wrong.
Assuming TAXII is the only way to share STIX: While TAXII is the standard protocol, STIX can also be shared via other means (e.g., email, API). The exam tests that TAXII is the preferred automated method, but not the only one.
Misunderstanding collections vs. channels: Collections are for pull-based sharing; channels are for push-based. A question might describe a push scenario and the candidate selects 'collection'. Remember: collections = pull, channels = push.
Specific Numbers, Values, and Terms
STIX version: 2.1 (current for CS0-003).
TAXII version: 2.1.
Standardizing body: OASIS CTI TC.
STIX object types: indicator, threat-actor, campaign, attack-pattern, etc.
TAXII endpoints: /api/v2/collections/, /api/v2/collections/{id}/objects/.
Authentication: API keys, OAuth2, mutual TLS.
Transport: HTTPS (port 443).
Edge Cases and Exceptions
The exam may test that STIX 2.0 and 2.1 are not fully compatible; 2.1 added new object types.
TAXII 2.0 and 2.1 are compatible, but 2.1 adds channels.
A TIP can act as a TAXII server (producer) or client (consumer).
Sharing can be one-way (push) or two-way (pull).
How to Eliminate Wrong Answers
If the question mentions 'format' or 'language', the answer is STIX.
If the question mentions 'transport', 'exchange', or 'protocol', the answer is TAXII.
If the question focuses on 'aggregation' and 'normalization', the answer is TIP.
If the question mentions 'automated sharing between organizations', look for STIX/TAXII together.
Watch for distractors like 'OpenIOC' (a different format) or 'CybOX' (predecessor to STIX). The exam may include these as wrong options.
STIX is the standardized language for describing threat intelligence; TAXII is the protocol for exchanging it.
TAXII uses RESTful APIs over HTTPS; common endpoints include /api/v2/collections/ and /api/v2/collections/{id}/objects/.
A Threat Intelligence Platform (TIP) aggregates, normalizes, enriches, and disseminates threat data from multiple sources.
STIX 2.1 includes object types: indicator, threat-actor, campaign, attack-pattern, sighting, and more.
TAXII supports both pull (collections) and push (channels) sharing models.
Both STIX and TAXII are maintained by the OASIS Cyber Threat Intelligence (CTI) Technical Committee.
On the exam, remember that TIPs are not just aggregators—they provide enrichment and correlation.
Common exam trap: confusing STIX (format) with TAXII (transport).
STIX patterns use square brackets and colon notation, e.g., [ipv4-addr:value = '1.2.3.4'].
TAXII collections are identified by UUIDs; each collection holds STIX objects.
These come up on the exam all the time. Here's how to tell them apart.
STIX
Data format/language for threat intelligence.
Defines objects like indicators, threat actors, campaigns.
Uses JSON or XML serialization.
Developed by OASIS CTI TC.
Current version: 2.1.
TAXII
Transport protocol for exchanging threat intelligence.
Defines API endpoints, collections, channels.
Uses HTTPS for communication.
Developed by OASIS CTI TC.
Current version: 2.1.
STIX/TAXII
Standardized by OASIS; industry-wide adoption.
Supports complex relationships and contextual data.
Machine-readable JSON/XML.
Designed for automated sharing via TAXII.
Supports multiple object types (indicators, threat actors, etc.).
OpenIOC
Proprietary format from Mandiant (now FireEye).
Primarily indicator-focused, less contextual.
XML-based.
Often shared manually or via proprietary APIs.
Limited to indicators of compromise.
Mistake
STIX and TAXII are the same thing and always used together.
Correct
STIX is a data format; TAXII is a transport protocol. They are separate standards from OASIS. You can use STIX without TAXII (e.g., via email) and TAXII without STIX (e.g., to share other data), though they are designed to work together.
Mistake
A TIP is just a fancy term for a threat feed.
Correct
A TIP is a platform that aggregates, normalizes, enriches, and correlates intelligence from multiple sources—it is not just a feed. It provides analysis tools and automated dissemination to other security tools.
Mistake
TAXII only supports pull-based sharing.
Correct
TAXII 2.1 supports both pull (via collections) and push (via channels). The push model uses channels for publish-subscribe.
Mistake
STIX indicators are only IP addresses and hashes.
Correct
STIX can represent a wide range of observables: IPs, domain names, URLs, email addresses, file paths, registry keys, and more. It also represents relationships, threat actors, campaigns, and attack patterns.
Mistake
You need a TIP to use STIX/TAXII.
Correct
STIX/TAXII can be used directly via scripts or custom applications. A TIP simplifies the process but is not required. For example, you can write a Python script to pull STIX from a TAXII server and parse it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
STIX (Structured Threat Information Expression) is a standardized language for describing cyber threat intelligence. It defines objects like indicators, threat actors, and campaigns in a machine-readable format (JSON/XML). TAXII (Trusted Automated eXchange of Indicator Information) is a protocol for exchanging STIX data over HTTPS. Think of STIX as the language and TAXII as the courier service. On the exam, you must know that they are separate but complementary standards from OASIS. A question might ask: 'Which standard defines the format for sharing IOCs?' The answer is STIX. 'Which protocol automates the exchange?' That's TAXII.
Yes, you should be familiar with the common STIX 2.1 object types: indicator, observable, threat-actor, campaign, attack-pattern, sighting, course-of-action, and relationship. The exam may present a scenario and ask which object type is used to represent a specific piece of intelligence. For example, a file hash would be an indicator, while a group of hackers would be a threat-actor. Focus on the purpose of each type rather than all properties.
Yes, many TIPs can act as both a TAXII client (consuming external feeds) and a TAXII server (publishing curated intelligence to internal tools or partners). This allows the TIP to centralize intelligence and redistribute it in a standardized format. On the exam, if a question describes an organization that wants to share its own intelligence with partners, the solution might involve configuring the TIP as a TAXII server with specific collections.
Collections are repositories on a TAXII server that contain STIX objects. Each collection has a unique ID and can be configured with access controls. Clients can pull objects from a collection (GET) or push objects into it (POST). Collections are the primary mechanism for organizing and sharing intelligence. For example, a TAXII server might have a 'ransomware' collection and a 'phishing' collection. The exam may test that collections are for pull-based sharing, while channels are for push-based.
A TIP typically pushes indicators to a SIEM via API, syslog, or direct database integration. The SIEM then uses these indicators to generate alerts when matching log data is observed. For example, a TIP might send a list of malicious IPs to Splunk via a custom input. Alternatively, the SIEM can pull from the TIP's TAXII feed. The integration automates the consumption of threat intelligence, reducing manual updates. On the exam, you might be asked to identify the best method for feeding IOCs into a SIEM—the answer often involves a TIP with API integration.
TAXII 2.1 supports multiple authentication methods: API keys (Bearer tokens), OAuth2, and mutual TLS (mTLS). The specific method depends on the server configuration. API keys are common for simpler setups, while mTLS provides stronger security for sensitive sharing. On the exam, you may need to select the appropriate authentication for a given scenario (e.g., high-security environment requires mTLS).
STIX 2.1 introduced new object types (e.g., grouping, infrastructure) and some changes to existing ones, so it is not fully backward compatible with STIX 2.0. However, many 2.0 objects can be used in 2.1 with minor adjustments. TAXII 2.1 is backward compatible with TAXII 2.0. The exam may test that STIX 2.1 is the current version and that you should be aware of major additions.
You've just covered Threat Intelligence Platforms (TIP) and STIX/TAXII — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?