Incident Object Description and Exchange Format

Incident Object Description and Exchange Format

TF-CSIRT at TERENA

IODEF Editorial GroupJimmy Arvidsson <[email protected]>

Andrew Cormack <[email protected]>

Yuri Demchenko <[email protected]>

Jan Meijer <[email protected]>

©2000. Yu.Demchenko. TERENA Incident object Description and Exchange Format

Slide2_2

Outlines

TERENA TF-CSIRT and Incident Taxonomy and Description WG - History

IODEF Documents Discussion of IODEF Requirements Draft –

draft-terena-itdwg-iodef-requirements-00.txt IODEF Model IODEF XML DTD

How to proceed? Relation to IDWG Pilot implementation between CSIRTs (primarily European)

Other documents/areas of interest Evidence Collection and Archiving (currently - draft-ietf-grip-prot-evidence-

01.txt) and further standardisation


Slide2_3

Incident Taxonomy and Description WG at TERENA TF-CSIRT - History

Incident Taxonomy and Description WG Established at BoF and Seminar at 3rd CERT-COORD meeting on May 11-

12, 2000 in Vienna– Webpage and charter - http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/ – mailing list - [email protected]– Archive - http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/

Seminar on IODEF – September 28, 2000, Paris Next meeting – January 18-19, 2001, Barcelona

IODEF BoF at 12th FIRST Conference in Chicago 30 attendees established mailing list [email protected] Archive - http://hypermail.terena.nl/iodef-list/mail-archive/


Slide2_4

IODEF purposes

A uniform incident classification enables applications such as: uniform statistic generation and exchange, for both domestic use and exchange

of data between teams. Over time a distributed incident statistics infrastructure can evolve

trend-analyses for reoccurrence of incidents, victims, attackers, etc. trend-analyses for relations between scans and attacks and thus begin working

on pro-active incident response uniform internal incident storage incident handling between teams made easier (only one team needs to classify

and analyze the complete incident, the other team can re-use this data) uniform incident reporting by victims to CSIRTs

Main IODEF actors are CSIRTs – not IDS


Slide2_5

IODEF Documents

• Best Current Practice on Incident classification and reporting schemes. Version 1

http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/BCPreport1.rtf

• Incident Object Description and Exchange Format Requirements Submitted as Internet-Draft

http://www.ietf.org/internet-drafts/draft-terena-itdwg-iodef-requirements-00.txt

• Incident Object Data Model To be drafted before January 18, 2001

• Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted before January 18, 2001


Slide2_6

Incident Object Description and Exchange Format Requirements - draft-terena-itdwg-iodef-requirements-00.txt

1. Abstracts

2. Conventions used in this document

3. Introduction3.1. Rationale

3.2. Incident Description Terms

4. General Requirements

5. Description Format

6. Communications Mechanisms Requirements

7. Message Contents

8. IODEF extensibility

9. Security considerations

10. Reference


Slide2_7

3.2. Incident Description Terms

• Attack • Attacker • CSIRT • Damage • Event • Evidence • Incident • Impact

• Target • Victim • Vulnerability

• Other terms: • alert, activity, IDS, Security Policy, etc.


Slide2_8

4. General Requirements

4.1. The IODEF shall reference and use previously published RFCs where possible.


Slide2_9

5. Description Format

5.1. IODEF format shall support full internationalization and localization.

5.2. The format of IODEF must support modularity in Incident description to

allow aggregation and filtering of data

5.3. IODEF must support the application of an access restriction policy attribute to every element.


Slide2_10

6. Communications Mechanisms Requirements

6.1. IODEF exchange will normally be initiated by humans using standard communication protocols, for example, e-mail, WWW/HTTP, LDAP.


Slide2_11

7. Message Contents

7.1. The root element of the IO description should contain a unique identification number (or identifier), IO purpose and default permission level

7.2. The content of the IODEF description should contain the type of the attack if it is known. It is expected that this type will be drawn from a standardized list of events; a new type of event may use a temporary implementation-specific type if the event type has not yet been standardized.

7.3. The IODEF description must be structured such that any relevant advisories, such as those from CERT/CC, CVE, can be referenced.


Slide2_12

7. Message Contents - Continue

7.4. IODEF may include a detailed description of the attack that caused the current Incident.

7.5. The IODEF description must include or be able to reference additional detailed data related to this specific underlying event(s)/activity, often referred as evidence.

7.6. The IODEF description MUST contain the description of the attacker and victim.

7.7. The IODEF description must support the representation of different types of device addresses, e.g., IP address (version 4 or 6) and Internet name.


Slide2_13


7.8. IODEF must include the Identity of the creator of the Incident Object (CSIRT or other authority). This may be the sender in an information exchange or the team currently handling the incident.

7.9. The IODEF description must contain an indication of the possible impact of this event on the target. The value of this field should be drawn from a standardized list of values if the attack is recognized as known, or expressed in a free language by responsible CSIRT team member.

7.10. The IODEF must be able to state the degree of confidence in the report information.

7.11. The IODEF description must provide information about the actions taken in the course of this incident by previous CSIRTs.


Slide2_14


7.12. The IODEF must support reporting of the time of all stages along Incident life-time.

7.13. Time shall be reported as the local time and time zone offset from UTC.

(Note: See RFC 1902 for guidelines on reporting time.)

7.14. The format for reporting the date must be compliant with all current standards for Year 2000 rollover, and it must have sufficient capability to continue reporting date values past the year 2038.

7.15. Time granularity in IO time parameters shall not be specified by the IODEF.


Slide2_15


7.16. The IODEF should support confidentiality of the description content.

The selected design should be capable of supporting a variety of encryption algorithms and must be adaptable to a wide variety of environments.

7.17. The IODEF should ensure the integrity of the description content.

The selected design should be capable of supporting a variety of integrity mechanisms and must be adaptable to a wide variety of environments.

7.18. The IODEF should ensure the authenticity and non-repudiation of the message content.


Slide2_16


7.19. The IODEF description must support an extension mechanism which may be used by implementers. This allows future implementation-specific or experimental data. The implementer MUST indicate how to interpret any included extensions.

7.20. The semantics of the IODEF description must be well defined.


Slide2_17

8. IODEF extensibility

8.1. The IODEF itself MUST be extensible. It is essential that when the use of new technologies and development of automated Incident handling system demands extension of IODEF, the IODEF will be capable to include new information.


Slide2_18

Incident Object Data Model

http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-datamodelv01.html


Slide2_19

IODEF XML Description Example

http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-xmldtdv01example.html

<incident incid=# msgid=# status={alert, handling/processing, communication/exchange, archive, closed,

statistics} permission={public, restricted, internal, ???}> <attack> <name origin=…> data modification</name> <target>information server</target> $$$$ </target> <time> $$$Time block$$$$ </time> <impact confidence=80> password list compromised</impact> <action type=local_admin> all users advised to change passwords </action> </attack>


Slide2_20

IODEF XML Description Example - Continue

<attacker category=education customer=0> $$$ </attacker> <method methid=# permission=restricted> <vulnerability> $$$$ </vulnerability> <evidence evid=#> $$$$ </evidence> </method> <authority category=csirt> $$$$$ </authority> <history> <reported repid=# type=internal> $$$$$ </reported> <action actid=# type=local_admin> $$$ </action> <communication> $$$$ </communication> </history> <digest>#########</digest> <signature> ########### </signature> </incident>


Slide2_21

IODEF std process – How to proceed further?

• Best Current Practice on Incident classification and reporting schemes. - Version 1 May be updated as TF-CSIRT internal document

• 3 documents on Incident Object Description and Exchange Format To be developed and submitted to IETF

Which WG – IDWG O.K.?

• Evidence Collection and Archiving at GRIP WG Problems of current I-D - draft-ietf-grip-prot-evidence-01.txt

No common format defined– No commitment from GRIP

Needs some study of local legislation Privacy and re-enforcement

• Implementation Planned between few European CSIRTs


Slide2_22

IDMEF Documents

Currently on the IETF IDWG std process IDMEF Requirements – withdrawn from I-D ??? IDMEF Data Model IDMEF XML DTD IMDEF ANS.1 MIBII format Intrusion Alert Protocol

IDMEF is for Intrusion Detection Systems Main actors - IDS Root element – Alert

– Short life history

Data collected automatically

Incident Object Description and Exchange Format

Documents

Transcript of Incident Object Description and Exchange Format