TAXII

TAXII
Name	TAXII
Full name	Trusted Automated eXchange of Indicator Information
Developer	Cyber Threat Intelligence Community
First release	2014
Latest release	2.1
License	Open standard

TAXII TAXII is an open specification for exchanging cyber threat intelligence over networks, enabling automated sharing among tools and organizations. It complements data formats and schemas used in cyber operations and incident response, facilitating interoperability among vendors, research labs, standards bodies, and international CERTs. TAXII has influenced architectures used by task forces, alliance frameworks, and intelligence-sharing consortia across national, corporate, and academic settings.

Overview

TAXII provides a framework for sharing structured threat information between entities such as National Cyber Security Centre (NCSC), United States Cyber Command, European Union Agency for Cybersecurity, CERT Coordination Center, and commercial providers like FireEye and Palo Alto Networks. The specification defines collections, channels, and services that map to use cases encountered by operators at NATO, INTERPOL, Bank for International Settlements, and research groups at Massachusetts Institute of Technology and Carnegie Mellon University. TAXII is often deployed alongside content standards from OASIS and data models from MITRE and cooperates with schemas used by FIRST and OpenIOC practitioners. Implementations interoperate with platforms from Splunk, Elastic (company), IBM Security, and open-source projects maintained by contributors at GitHub and Apache Software Foundation.

History and Development

Work on TAXII began as part of a push to standardize indicator sharing involving stakeholders such as US-CERT, NSA, DHS, and civil society groups including Electronic Frontier Foundation and academic partners at Stanford University. Early drafts emerged from collaborations among members of OASIS technical committees and working groups with participation by vendors like Symantec and Cisco Systems. Subsequent revisions incorporated feedback from incident response teams at Microsoft, Google, Amazon Web Services, and law enforcement partners such as Europol and FBI. The protocol evolved through public reviews, interoperability events hosted by FIRST and demonstrations at conferences like Black Hat, DEF CON, RSA Conference, and SANS Institute summits.

Architecture and Components

TAXII specifies logical components including Inbox, Collection Management, and Polling services implemented by producers and consumers such as SIEM vendors and security orchestration platforms from Splunk and ServiceNow. The model defines Actors and Services that map to entities like CERT-EU, UK National Cyber Security Centre, Australian Cyber Security Centre, and commercial SOCs at Goldman Sachs and J.P. Morgan Chase. TAXII operates with content bound to formats used by STIX and integrates with metadata registries maintained by ISO committees and standards organizations like IETF. Deployment models range from ad hoc bilateral exchanges between teams at Lockheed Martin and Boeing to federated hubs run by consortia such as Financial Services Information Sharing and Analysis Center.

Protocols and Message Bindings

TAXII defines transport bindings that have been carried over HTTP/HTTPS stacks used by web services from Apache HTTP Server and Nginx, with message encodings that complement XML and JSON payloads consumed by tools from Google Cloud Platform and Microsoft Azure. Message semantics align with RESTful patterns advocated by Roy Fielding and have been demonstrated in messaging systems from RabbitMQ and Apache Kafka for high-volume exchange between enterprises like Visa and Mastercard. Security layers typically incorporate standards from TLS suites and authentication mechanisms interoperable with identity providers including Okta, Ping Identity, and federated systems using SAML and OAuth.

Use Cases and Implementations

Operational use cases include automated indicator sharing during active incidents at Equifax and collaborative research at institutions like University of Cambridge and Imperial College London. Implementations span commercial products by McAfee and Trend Micro, open-source projects hosted on GitHub, research prototypes from MITRE, and managed services offered by AT&T Cybersecurity and CrowdStrike. Sector-specific exchanges have been stood up for Healthcare Information and Management Systems Society, energy sector groups coordinated with International Atomic Energy Agency, and transportation partners working with International Air Transport Association.

Security and Privacy Considerations

Secure deployment of TAXII involves threat modeling similar to frameworks used by NIST and privacy assessments guided by principles from European Data Protection Board and ICO (United Kingdom). Operational controls reference best practices promulgated by CIS benchmarks and incident handling methodologies from CERT Coordination Center and FIRST. Data minimization, access controls, and audit logging are implemented using IAM solutions from AWS Identity and Access Management and key management consistent with guidance from National Institute of Standards and Technology publications. Cross-border sharing raises legal considerations addressed by treaties and instruments such as Budapest Convention and agreements negotiated by World Trade Organization members.

Adoption and Governance

Governance of TAXII-adopting ecosystems typically involves consortia and standards bodies including OASIS, IETF, FIRST, and regional Computer Emergency Response Teams such as CERT.be and JPCERT/CC. Major adopters include national CERTs like US-CERT, corporate SOCs at IBM, financial institutions overseen by Federal Reserve System, and cloud providers from Amazon Web Services and Microsoft Azure. Interoperability is reinforced through plugfests and testing events organized by ENISA and vendor alliances showcased at conferences such as RSA Conference and Black Hat USA. Category:Computer security