The structured creation of formal cybersecurity intelligence documents that disseminate actionable threat data using standardized formats (STIX) and sharing protocols (TAXII), governed by TLP frameworks to control dissemination.
It transforms raw threat data into a standardized, actionable product, enabling secure, automated, and trust-based information sharing with partners and ISACs. This directly accelerates organizational response times and reduces overall risk exposure by preventing duplicate analysis across the ecosystem.
1Careers
1Categories
8.5 Avg Demand
20%
Avg AI Risk
How to Learn Threat intelligence report writing (TLP standards, STIX/TAXII)
1. Master the TLP definitions (WHITE, GREEN, AMBER, RED) and their associated dissemination restrictions. 2. Understand the core STIX 2.1 object hierarchy (e.g., `indicator`, `malware`, `threat-actor`, `attack-pattern`). 3. Learn the basic TAXII 2.1 architecture: Collections, Envelopes, and API endpoints for fetching data.
1. Practice creating a STIX Bundle for a specific threat actor campaign, linking related objects (e.g., an indicator to a malware sample and a set of attack patterns mapped to MITRE ATT&CK). 2. Use a TAXII client (like `taxii2-client` in Python) to programmatically push a STIX report to a local or test server. 3. Focus on avoiding common pitfalls: incomplete object linking, misconfigured TLP markings in STIX `marking-definition` objects, and ignoring STIX default values.
1. Architect integrated threat intelligence platforms (TIPs) that automate STIX/TAXII workflows. 2. Design organizational policies that map TLP designations to internal data handling systems (e.g., SIEM ingestion rules, endpoint protection block lists). 3. Mentor junior analysts on translating qualitative observations into structured STIX objects and maintaining data fidelity during translation.
Practice Projects
Beginner
Project
TLP-Labeled Incident Flash Report
Scenario
A phishing campaign targeting the finance department is detected. You must create a structured report to share with the finance team (internal) and potentially with a sector ISAC.
How to Execute
1. Draft a 1-page narrative report summarizing the campaign's tactics, techniques, and procedures (TTPs). 2. Create a STIX Bundle containing the key objects: an `indicator` for the malicious URL, a `malware` object for the downloader, and a `relationship` object linking them. 3. Assign the correct TLP marking (`marking-definition`) to the entire bundle or specific objects. 4. Use a TAXII client to post the STIX bundle to a test collection on a local server (like `cti-taxii-server`).
Intermediate
Project
Automated IOC Feed Integration
Scenario
Your organization needs to consume a public STIX/TAXII feed of known malicious IPs and domains, validate the data, and automatically create block rules on your firewall.
How to Execute
1. Use the `taxii2-client` Python library to poll a known public TAXII server (e.g., AlienVault OTX's TAXII endpoint). 2. Parse the received STIX Envelope, filtering for `indicator` objects of type `ipv4-addr` and `domain-name`. 3. Write a script to validate these indicators against an internal false-positive list. 4. Use your firewall vendor's API (e.g., Palo Alto PAN-OS API) to programmatically add the validated indicators to a block rule set. Log the actions in a structured format for audit.
Your company, a critical infrastructure provider, has been targeted by a sophisticated threat actor. You need to design a secure sharing protocol for a detailed report with two other peer companies, a government CERT, and your sector ISAC, each receiving a different subset of information based on TLP:AMBER rules.
How to Execute
1. Architect the report: Create a master STIX Bundle. Use STIX `marking-definition` objects with granular TLP:AMBER statements, applying them via `object_marking_refs` to specific sensitive objects (e.g., internal network segments, specific victim data). 2. Define the sharing workflow: Decide which TAXII collections will be exposed to each partner and map the `marking-definition` objects to those collections' access controls. 3. Implement technical controls: Write scripts or configure your TIP to automatically filter and redact STIX objects before publishing to a partner's TAXII collection based on their designated TLP. 4. Develop a joint playbook with partners for incident response actions triggered by specific STIX `attack-pattern` or `vulnerability` objects in the shared report.
Tools & Frameworks
Standards & Specifications
STIX 2.1 (Structured Threat Information eXpression)TAXII 2.1 (Trusted Automated eXchange of Intelligence Information)TLP 2.0 (Traffic Light Protocol)MITRE ATT&CK Framework
STIX is the language for describing threat data. TAXII is the transport mechanism. TLP governs dissemination rules. MITRE ATT&CK provides a common taxonomy to map adversary behavior (TTPs) within STIX, enhancing report interoperability.
OpenCTI and MISP are open-source TIPs that handle STIX data natively. TAXII servers manage feed distribution. Python libraries are essential for custom automation, scripting TAXII interactions, and creating/validating STIX bundles programmatically.
Mental Models & Methodologies
Diamond Model of Intrusion AnalysisKill Chain Analysis (Lockheed Martin)STIX Patterning
Diamond Model helps structure analysis around adversary, capability, infrastructure, and victim. Kill Chain maps threat actor progress. STIX Patterning is the specific syntax for writing machine-readable detection logic within STIX `indicator` objects.
Interview Questions
Answer Strategy
The candidate must demonstrate an understanding of STIX object relationships and TLP application. They should start with high-level objects (`threat-actor`, `campaign`), move to TTPs (`attack-pattern`, `malware`, `tool`), then to observables (`indicator`, `vulnerability`). The answer must specify using `marking-definition` objects with TLP:WHITE for public IOCs and TLP:AMBER for specific internal victim data or custom YARA rules.
Answer Strategy
This tests the candidate's practical experience with data quality and enrichment. The answer should show a systematic approach to validation, enrichment, and feedback, not just passive acceptance. The candidate should also mention the importance of feedback loops in threat intelligence sharing communities.
Careers That Require Threat intelligence report writing (TLP standards, STIX/TAXII)