OASIS Cyber Threat Intelligence (CTI) Technical Committee

Traditional approaches for cyber security that focus inward on understanding and addressing vulnerabilities, weaknesses, and configurations are necessary but insufficient in today's dynamic cyber landscape. Effective defense against current and future threats also requires the addition of an outward focus on understanding the adversary's behavior, capability, and intent. Only through a balanced understanding of both the adversary and ourselves can we understand enough about the true nature of the threats we face to make intelligent defensive decisions. The development of this understanding is known as cyber threat intelligence (CTI).

Cyber threat intelligence itself poses a challenge in that no single organization can have enough information to create and maintain accurate situational awareness of the threat landscape. This limitation is overcome by sharing of relevant cyber threat information among trusted partners and communities. Through information sharing, each sharing partner can achieve a more complete understanding of the threats they face and how to defeat them.

The purpose of the Cyber Threat Intelligence (CTI) Technical Committee is to define a set of information representations and protocols to address the need to model, analyze, and share cyber threat intelligence. A composable set of information sharing services will be defined to enable peer-to-peer, hub and spoke, and source subscriber threat intelligence sharing models. These services will not dictate one architecture but strive to allow for organizations to develop standards-based sharing architectures that meet their needs. Standardized representations will be developed for campaigns, threat actors, incidents, tactics techniques and procedures (TTPs), indicators, exploit targets, observables, and courses of action. These core components and their inter-relationships together will enable robust cyber threat analysis and intelligence sharing.

The TC's efforts built upon the historical work on the Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) specifications developed and contributed to the TC by U.S. Department of Homeland Security (DHS), with significant contributions from and collaboration with the wider Cyber Threat Intelligence community.

The OASIS CTI TC work is the continuing development of the STIX and TAXII standards, based on the needs identified by the CTI TC Members. The Standards Track Work Product efforts will be related to improving existing information representations for codifying, analyzing, or sharing of cyber threat intelligence as well as defining new information representations for covering additional Cyber Threat Intelligence use cases identified by the CTI TC.

In addition to Standards Track Work Products, the OASIS CTI TC work products may include supporting documentation, open source tooling, and any other materials deemed necessary to encourage the adoption of the TC's specifications.

The OASIS CTI TC will establish two Subcommittees to develop and refine the specifications and supporting materials of the TC:

• The STIX Subcommittee
• The TAXII Subcommittee

The OASIS CTI TC will continue to make substantive additions and changes to the specifications in order to correct errors or omissions in the specifications, and to continue evolving capabilities based on requirements and capabilities identified by OASIS TC members. Deliverables will include updated versions of the specifications (STIX, TAXII, and possibly others) as deemed appropriate by the Subcommittees and by the OASIS CTI TC as a whole.

In addition to the specification deliverables, the OASIS CTI TC may deliver supporting documentation and open source tooling on an ongoing basis in support of the CTI TC's published standards.

This TC will operate under the Non-Assertion IPR mode as defined in Section 10.3 of the OASIS IPR Policy document.

The anticipated audience for this work includes:

• Vendors of products and services that produce, consume, or process cyber threat intelligence, in particular that which is expressed via STIX and shared via TAXII
• Organizations that produce or consume cyber threat intelligence, in particular that which is expressed via STIX and shared via TAXII
• Organizations that purchase or may purchase products that support STIX and TAXII
• Information Sharing and Analysis Organizations (ISAOs), including Information Sharing and Analysis Centers (ISACs)

TC business will be conducted in English. The output documents will be written in (US) English. Translations to other languages may be made based on interest and ability.