Firstly, this is a picture of my much-loved tortoise Bob. We have another named Terabyte, but she doesn’t like the camera. And of course, we have a bundle of sticks. I couldn’t find a picture of sticks that I liked, so I took this one, with Bob.

At Elemendar, we are always talking about STIX bundles and which is why I have reviewed the recently released STIX2.1 update for this article.

Structured Threat Information Expression (STIX) is a JSON based, machine-readable, open-source standard that allows the exchange of cyber threat intelligence across organisations. This allows collaboration between experts in the field, as well as allowing others to quickly and easily ingest cyber threat intelligence to allow better protection of company networks.

The latest update to the standard, STIX2.1, was released on 25 January 2021 and while there hasn’t been a huge uptake in support of this revised specification, there have been some very interesting additions within the latest version. This document aims to highlight the most useful aspects added in this update. The full STIX2.1 specification is available at (link)

New STIX Domain Objects

There have been six new SDOs added with STIX2.1, Grouping, Infrastructure, Location, Malware Analysis, Note and Opinion.
Of these, I feel that the most useful are going to be the Infrastructure and the Location SDOs.

The new ‘Infrastructure’ SDO can be used to show that a company’s infrastructure is targeted or has a vulnerability, but also that malicious infrastructure set up by attackers is used to control malware or is used by malware to exfiltrate data.
It also supports the ‘owns’ relationship with ‘threat-actor’ and ‘intrusion-set’ to allocate ownership of the malicious infrastructure.

The ‘Location’ SDO allows for the allocation of geographic locations. These locations can be used to give context to other SDOs, for example, a malware sample may use the operating system’s assigned regional keyboard layout in order to target British (English GB), speaking individuals or the malware sample may originate from a geographic region.
A ‘Location’ SDO can also be related to ‘Identity’ SDO to indicate that identity is located in that location.

New STIX Relationships

There are a large number of relationships that have been added in 2.1. The most useful of which seem to be related to the new SDOs that have been added.

Infrastructure has a wide range of relationships that can be used with both malicious infrastructure and legitimate infrastructure. I have highlighted a few below that are most interesting to me.

  • Infrastructure controls malware – this is used for C2 servers issuing commands to malware.
  • Infrastructure delivers/hosts malware – this is used to determine where a malware sample has originated from.
  • Infrastructure located-at location – this is used to provide a physical location to any infrastructure mentioned.
  • Infrastructure has vulnerability – this is used when company infrastructure has a vulnerability that could have been/ was exploited.

The ‘Malware’ SDO is another that was given some attention. A total of seven new relationships have been added. I may be biased, but I always get excited when malware gets some attention. STIX 2.0 provides nine new SDOs. These are the highlights:

  • Malware authored-by threat-actor – this is very useful as the person who authored the malware may not actually use it in an attack but will sell it to other criminal organisations.
  • Malware targets infrastructure – this is used to provide information on the systems a malware sample is targeting.
  • Malware beacons-to/exfiltrates-to infrastructure – this is used for C2 or providing remote access, or uploading exfiltrated data.
  • Malware downloads/drops malware/tool/file – this is used for describing the activity of a dropper and what is actually dropped to a system.
  • Malware originates-from location – this is used to provide details on attribution based on geographic location.
  • Malware targets infrastructure/location – this is used to show that a malware sample targets specific infrastructure (eg, Sunburst targets Solarwinds Orion) or a malware targets a specific location (eg, NotPetya targets Ukraine).
  • Malware exploits vulnerability – this is used when a malware sample uses a vulnerability as part of its attack-pattern (eg, WannaCry using EternalBlue (CVE-2017-0144))

The ‘Threat-actor’ and ‘Tool’ SDOs also got a slight update with four new relationships added for both ‘Threatactor’ and ‘Tool’.

  • Threat-actor compromises infrastructure – this will be used when a threat actor compromises a victim system.
  • Threat-actor hosts/owns infrastructure – This will be used to assign infrastructure to a threat actor or group.
  • Threat-actor located-at location – this will be used to assign attribution to a country if enough evidence is available.
  • Tool delivers/drops malware – this will be used when red teaming tools such as Cobalt Strike is used to drop malware onto a system
  • Tool has vulnerability – this is used for any tool that has a vulnerability that could be or has been exploited.
  • Tool uses infrastructure – this is used to link the infrastructure used by tooling.

Final thoughts

STIX2.1 is definitely a big step in the right direction. The additional SDOs and relationships give a huge amount of context and make a lot of sense. It also reduces the amount of information that is tagged as an indicator due to the lack of specific SDOs.

I look forward to working with the STIX2.1 standard when it is more widely supported and implemented by the information security community.