Structured Threat Information Expression (STIX) is the industry-standard language for representing and exchanging cyber threat intelligence in a structured, machine-readable way. It enables defenders, analysts, and security tools to share indicators, adversary behavior, attack patterns, and more in a consistent format that enhances automation and situational awareness. While STIX has long supported describing threat actor techniques, tools, and infrastructure, there is a gap in how legitimate software and operational tooling abused by adversaries is represented. This limits defenders’ ability to track target selection patterns, correlate observed exploitation of defensive assets, and model attack flows that leverage tool abuse as part of an adversary’s campaign logic.

Live Extension: HVT-Enhanced Tool SDO

The High Value Target (HVT) extension for the STIX Tool Domain Object (SDO) is a community-driven enhancement now available in the STIX extensions repository. It enriches the base STIX schema by enabling defenders and threat intelligence platforms to:

• Represent software tools and services not just by function, but by their operational impact if abused
• Capture target-centric attributes that reflect adversary selection criteria (e.g., exposure, criticality, prevalence)
• Enable richer attack path modeling and correlation across threat reports, malware analysis, and incident telemetry

With HVT semantics included in tools’ STIX representations, security teams can share and consume threat data that highlights how adversaries are targeting and abusing legitimate tools or services, rather than only malicious artifacts.

What This Enables

By integrating HVT concepts into STIX:

• Threat intelligence analysts can tag observations with target value attributes that reflect real-world attacker prioritization
• Sharing communities and automated systems can correlate tool usage with impact-oriented signals
• Exposure and defense planners can better quantify risk and impact pathways that adversaries exploit
• Red and blue teams can design scenarios that mirror how attackers reason about tool abuse and critical path disruption

This enhancement contributes to closing a semantic gap between threat modeling and operational threat intelligence, especially where defensive support infrastructure, endpoint tooling, security automation services, and other benign software may become high-impact targets in real attacks.

STIX Extensions and Specifications

This extension lives in the open STIX extension ecosystem and is intended for use by security tool vendors, CTI platforms, sharing communities, and research teams. STIX core standards and documentation remain maintained by the OASIS Cyber Threat Intelligence Technical Committee.