Extended Incident Handling (inch)

Last Modified: 2006-05-25

Additional information is available at tools.ietf.org/wg/inch

Chair(s):

  • Roman Danyliw <rdd@cert.org>

    Security Area Director(s):

  • Russ Housley <housley@vigilsec.com>
  • Sam Hartman <hartmans-ietf@mit.edu>

    Security Area Advisor:

  • Sam Hartman <hartmans-ietf@mit.edu>

    Mailing Lists:

    General Discussion: inch@nic.surfnet.nl
    To Subscribe: listserv@nic.surfnet.nl
    In Body: subscribe inch
    Archive: http://listserv.surfnet.nl/archives/inch.html

    Description of Working Group:

    Background
    ==========

    Computer security incidents occur across administrative domains often
    spanning different organizations and national borders. Therefore, the
    exchange of incident information and statistics among involved parties
    and associated Computer Security Incident Response Teams (CSIRTs) is
    crucial for both reactionary analysis of current intruder activity and
    proactive identification of trends that can lead to incident
    prevention.

    Scope
    =====

    The purpose of the Incident Handling (INCH) working group is to define
    a data format for exchanging security incident information used by a
    CSIRT. A CSIRT is defined broadly as an entity (either a team or
    individual) with a security role or responsibility for a given
    constituency (e.g., organization, network).

    The use case for the INCH WG output is to standardize the information
    model and messaging format currently used in communication between a
    CSIRT and the:

    * constituency (e.g., users, customers) from which it receives reports
    of misuse;

    * other parties involved in an incident (e.g., technical contact at an
    attacking site, other CSIRTs); and

    * analysis centers performing trending across broad data-sets.

    These INCH developed formats will replace the now largely human-
    intensive communication processes common in incident handling. The
    working group will address the issues related to representing and
    transporting:

    * the source(s) and target(s) of system misuse, as well as the
    analysis of their behavior;

    * the evidence to support this analysis;

    * status of an incident investigation and analysis process; and

    * meta-information relevant to sharing sensitive information across
    administrative domains (e.g., internationalization, authorization,
    privacy).

    Constraints
    ===========

    The WG will not attempt to define

    - - an incident taxonomy;
    - - an archive format for incident information;
    - - a format for workflow process internal to a CSIRT; or
    - - a format for computer security related information for which there
    is already a working standard.

    Output of Working Group
    =======================

    1. A set of high-level requirements for a data format to represent
    information commonly exchanged by CSIRTs.

    2. A specification of an extensible, incident data description language
    that describes a format that satisfies these requirements (Output #1).

    3. A set of sample incident reports and their associate representation
    in the incident data language.

    4. A message format specification and associated transport binding to
    carry the encoded description of an incident (Output #2).

    5. Guidelines for implementing the data format (Output #2) and
    associated communications (Output #4)

    Goals and Milestones:

    Done  Initial I-D of the incident data language specification
    Done  Initial I-D for the requirements specification
    Done  Initial I-D of the implementation guidelines document
    Done  Initial I-D of the traceback extension specification
    Done  Submit initial draft of phishing extension specification I-D
    Done  Initial I-D of a transport binding specification
    Jun 2006  Submit requirements I-D to the IESG as Informational
    Aug 2006  Submit messaging format specification I-D to the IESG as Proposed
    Aug 2006  Submit incident data language specification I-D to the IESG as Proposed
    Aug 2006  Submit transport binding specification I-D to the IESG as Proposed
    Aug 2006  Submit phishing extension specification I-D to the IESG as Proposed
    Sep 2006  Submit implementation guidelines I-D to the IESG as Informational

    Internet-Drafts:

    The Incident Object Description Exchange Format (166404 bytes)
    Requirements for the Format for Incident Information Exchange (FINE) (25018 bytes)
    Incident Handling: Real-time Inter-network Defense (180141 bytes)
    Extensions to the IODEF-Document Class for Phishing, Fraud, and Other Crimeware (98012 bytes)
    IODEF/RID over SOAP (35061 bytes)

    No Request For Comments

    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.