Date:
Every cyber attack leaves traces. These provide insights into how attackers operate, which vulnerabilities they exploit, and the paths they take within a network. Such incidents can be used to derive threat intelligence — processed, context-enriched information about current cyber threats. This type of intelligence is essential for detecting and understanding future attacks at an early stage, and for implementing appropriate protective measures as a result. This is precisely where Cyber Threat Intelligence (CTI) comes in. CTI describes the process of systematically collecting, analysing, and processing information about cyber threats. Its goal is to provide organizations and enterprises with early warning of attacks and to enable them to strengthen their security measures in a targeted manner.
Threat intelligence (CTI) can encompass a wide range of content, including:
- Tactics, Techniques & Procedures (TTPs): What methods do cyber criminals employ? This includes knowledge of attackers' preferred targets (e.g. extortion), their preferred techniques (e.g. social engineering), and their specific modus operandi (e.g. distributing malware via emails sent from previously compromised accounts).
- Threat Actors & Attack Targets: Which groups are behind the attacks? What are their motives, and which industries, countries, or organizations are their preferred targets?
- Indicators of Compromise (IoCs): Concrete technical artifacts indicating a potential compromise (e.g. file names, IP addresses, domain names, malware hash values).
- Trends & Forecasts: Information on emerging attack waves, active campaigns, or projections regarding the future evolution of threats.
Such information can be integrated directly into security solutions such as EDR, XDR, or SIEM systems, where it can support SOC teams in threat hunting, the active search for previously undetected attackers within a network. A key foundation of Cyber Threat Intelligence is the insights gained from IT forensic investigations. When these are enriched with additional context — such as the threat actor group claiming responsibility for an attack — a significantly more comprehensive picture of the threat landscape emerges. The analysis of past security incidents reveals patterns, methodologies, and indicators that hold relevance beyond the individual incident, as they can equally be applied to anticipate future attacks. The structured consolidation of this knowledge about past attacks therefore constitutes a central pillar of preventive security measures.
For such threat intelligence to be effectively and meaningfully exchanged across different organizations and companies, standardized exchange formats are required. This is precisely the purpose for which STIX was developed
STIX – A Standardised Exchange Format for CTI
Structured Threat Information eXpression (STIX) is a standardized format for the exchange of threat intelligence. The open-source project is published, maintained, and regularly updated as an OASIS standard by the Cyber Threat Intelligence Technical Committee (current version as of May 2026: v2.1) [1]. Many vendors of EDR, XDR, and SIEM solutions already support STIX for exchange and further processing of CTI data.
Structure and Core Principles of STIX
STIX version 2 is built on a JSON-based data model. Compared to its predecessor, this makes it considerably more lightweight, more modular in design, and more oriented towards automation. That said, even in version 2 the standard remains quite extensive and complex.[2]
At its core, the format operates with three main components:
- STIX Cyber-observable Objects (SCO) – These objects encompass concrete technical data from networks and IT systems, such as IP addresses, file names, hash values, email addresses, or URLs.
- STIX Domain Objects (SDO) – STIX defines 18 distinct SDO types, which build on SCOs and describe conceptual information about threats — for example, Threat Actors, Malware, Attack Patterns, Campaigns, or Vulnerabilities. Each SDO type follows a strictly defined schema with its own set of fields and attributes. SDOs thus serve as a conceptual abstraction of the concrete technical details captured at the SCO level.
- STIX Relationship Objects (SRO) – These objects establish relationships between other objects, particularly SDOs. This allows, for example, the expression that a specific threat actor group uses a particular strain of malware.
The rather abstract construct of STIX is best illustrated through an example:
Compor AG (our favourite, but imaginary victim company) has been targeted by a ransomware attack from the equally imaginary group “Arancio”. During the attack, systems were not only encrypted, but — as is typical for this type of attack — data was also exfiltrated from the compromised systems, and additional malware in the form of backdoors were deployed. As part of a subsequent IT forensic investigation, several traces were identified that provided insights into the attackers' activities. These include the IP address of a Command-and-Control (C2) server, several executable malware files, and a domain attributed to the threat actors. These technical artifacts can initially be classified as the following SCOs:
| SCO | Value | Attributes & Description |
| File | arancio.exe | MD5 hash: 6ce4e69804d7b6918da802d6ec88f35a |
| File | backdoor.exe | MD5 hash: cfd31ed6998727cf22d1f742b784069f |
| File | Pro-forma Invoice.docm | Word document containing Marko (VBScript) MD5 hash: 9c994f899167b46f2ddcaefffaf23f52 |
| IPv4 address | 192.0.2.66 | C2 server |
| Domain name | c2.arancio.bad-net.de | Malware hosting & exfiltration target |
However, these pieces of information are still isolated on their own and provide only limited benefits. Using predefined SDOs, the individual pieces of data can be consolidated and enriched with additional contextual information from the analysis and attack itself:
| SCO | Value | Attributes & Description |
| Threat Actor | Arancio | Attacker Group, claiming responsibility for this attack |
| Attack Pattern | Spear Phishing Attachment (T1566.001) | Initial Access (MITRE ATT&CK) |
| Attack Pattern | VBScript Execution (T1059.005) | Execution (MITRE ATT&CK) |
| Attack Pattern | Exfiltration (T1567.002) | Data Exfiltration (MITRE ATT&CK) |
| Attack Pattern | Encryption (T1486) | Damage (MITRE ATT&CK) – Ransomware Encryption |
| Attack Pattern | Lateral Tool Transfer (T1570) | Propagation via the tool tray to Windows file shares |
| Attack Pattern | C2 Communication (T1071.001) | Attackers' TTPs – according to MITRE ATT&CK |
| Malware | Malicious VBA Macro | Downloader macro in DOCM |
| Malware | arancio.exe | Ransomware (executable file for encrypting IT systems) + exfiltration (data leakage) |
| Malware | backdoor.exe | Backdoor / C2 agent |
| Infrastructure | Arancio backdoor infrastructure | Attackers’ C2 server infrastructure |
| Infrastructure | Arancio hosting infrastructure | Attackers’ download server for the malware |
| Indicator | 192.0.2.66 | Indicator derived from SCO IPv4 address |
| Indicator | c2.arancio.bad-net.de | Indicator derived from SCO domain name |
The objects can then be linked to SROs, providing a comprehensive overview of the analysed attack:
This example demonstrates how findings from an IT forensic analysis can be structured and linked using STIX. This allows technical evidence, attacker information, and contextual relationships to be presented in a consistent manner.
However, to ensure that this STIX-structured information does not remain local but can also be integrated into security solutions and exchanged across organizations, a standardized exchange mechanism is required. TAXII was developed exactly for this purpose.
TAXII – Exchange of Information in STIX Format
Trusted Automated eXchange of Intelligence Information (TAXII) is a communication protocol for the standardised and automated exchange of cyber threat intelligence in STIX format [3]. While STIX describes how threat information is structured, TAXII defines how this information is transmitted between different systems—typically via HTTPS-based interfaces in the form of collections or feeds.
Thus, TAXII provides the technical basis for structured threat information to be exchanged automatically between different systems in an efficient and scalable manner and utilized operationally.
Summary
Cyber attacks provide valuable insights into attackers’ methods, tools, and structures. Cyber Threat Intelligence (CTI) collects, analyses and correlates this information to build a robust overall picture. The goal is to detect threats at an early stage and respond to them more quickly and effectively.
STIX and TAXII offer a way to describe and exchange CTI information. In addition, there are other approaches and rule-based detection mechanisms, such as MISP or YARA/SIGMA, which are used depending on the deployment scenario.
In the end, it becomes clear that only through standardised formats and a common language it is possible to piece together individual bits of information into a comprehensive picture that offers real added value for effective cyber defence.
Our incident response and forensics experts support you in managing cyber attacks and the structured evaluation of findings from IT forensic analyses. Together with our consulting experts, we guide you in translating these findings into sustainable security strategies and in developing your cyber defences in a targeted manner – both reactively in the event of an incident and proactively in strategic planning.
