01
The HVT-enhanced STIX Tool SDO closes a semantic gap around legitimate tools and services abused by adversaries.
Intelligence
STIX Mapping
Translate High Value Target thinking into structured cyber threat intelligence and cross-team operational clarity.
02
Target-centric attributes such as exposure, criticality, and prevalence help defenders model operational impact more accurately.
03
The extension supports richer attack-path modeling, telemetry correlation, and resilience-oriented scenario design.
Enhancing STIX with High Value Target (HVT) Semantics
Structured Threat Information Expression (STIX) is the industry-standard language for representing and exchanging cyber threat intelligence in a structured, machine-readable way. It enables defenders, analysts, and security tools to share indicators, adversary behavior, attack patterns, and more in a consistent format that enhances automation and situational awareness. While STIX has long supported describing threat actor techniques, tools, and infrastructure, there is a gap in how legitimate software and operational tooling abused by adversaries is represented. This limits defenders’ ability to track target selection patterns, correlate observed exploitation of defensive assets, and model attack flows that leverage tool abuse as part of an adversary’s campaign logic.
Live Extension: HVT-Enhanced Tool SDO
The High Value Target (HVT) extension for the STIX Tool Domain Object (SDO) is a community-driven enhancement now available in the STIX extensions repository. It enriches the base STIX schema by enabling defenders and threat intelligence platforms to:
Represent software tools and services not just by function, but by their operational impact if abused
Capture target-centric attributes that reflect adversary selection criteria (e.g., exposure, criticality, prevalence)
Enable richer attack path modeling and correlation across threat reports, malware analysis, and incident telemetry
With HVT semantics included in tools’ STIX representations, security teams can share and consume threat data that highlights how adversaries are targeting and abusing legitimate tools or services , rather than only malicious artifacts.
What This Enables
By integrating HVT concepts into STIX:
Threat intelligence analysts can tag observations with target value attributes that reflect real-world attacker prioritization
Sharing communities and automated systems can correlate tool usage with impact-oriented signals
Exposure and defense planners can better quantify risk and impact pathways that adversaries exploit
Red and blue teams can design scenarios that mirror how attackers reason about tool abuse and critical path disruption
This enhancement contributes to closing a semantic gap between threat modeling and operational threat intelligence, especially where defensive support infrastructure , endpoint tooling , security automation services , and other benign software may become high-impact targets in real attacks.
STIX Extensions and Specifications
This extension lives in the open STIX extension ecosystem and is intended for use by security tool vendors, CTI platforms, sharing communities, and research teams. STIX core standards and documentation remain maintained by the OASIS Cyber Threat Intelligence Technical Committee.
Resources
Research
STIX
STIX Extension
Explore the HVT-enhanced STIX extension and the operational semantics behind it.
Access resource
Roles
Critical Roles
Review the request for comments covering resilience-critical roles, privileged access, and disproportionate operational impact.
Access resource
cAPT
Compound APT
Follow the public request for comments on converging APT behavior, systems-level disruption, and resilience implications.
Access resource