ESE: A Tool for Enhanced STIX Elevation

Abstract

Structured Threat Information eXpression (STIX) language has been widely used to automate the sharing of cyber threat information (CTI) across s intelligence communities. There are different versions, i.e., STIX 1.x and 2.x., while STIX 2.x is gaining more popularity. There is a strong need to convert the existing, well-developed STIX 1.x (in XML format) files to STIX 2.x (in JSON format) files using, e.g., tools such as cti-stix-elevator. Despite the success and usefulness of such STIX elevation tools, one of the major issues is that the many objects and relationships defined in XML serializations are not converted properly. This has been a major barrier to information sharing based on the well-developed XML files. The manual effort, a tedious and time-consuming process, is the only option for fixing the missing relationships in the converted JSON files. To facilitate information sharing, we propose to design an automated tool to enhance the elevation by fixing the missing objects and relationship/sighting objects during the conversion process. This automated tool is developed by taking advantage of two open-source tools, namely Python-STIX and Python-STIX2, which provide a set of APIs to work with XML and JSON files. The tool, enhanced STIX elevation or ESE, is implemented by detecting the missing relationship/sighting objects in JSON files and extracting relationship information directly from XML files for creating the missing relationship/sighting objects in JSON. The performance of the ESE is demonstrated via case studies of two malware cases.