idnits 2.17.1 draft-ietf-mile-rfc5070-bis-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 2014) is 3748 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 4481, but not defined == Missing Reference: '0-4' is mentioned on line 4481, but not defined == Missing Reference: '0-5' is mentioned on line 4481, but not defined ** Obsolete normative reference: RFC 4646 (Obsoleted by RFC 5646) -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO8601' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) P. Stoecker 5 Intended status: Standards Track RSA 6 Expires: July 5, 2014 January 2014 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-05 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation that provides a framework for sharing information 15 commonly exchanged by Computer Security Incident Response Teams 16 (CSIRTs) about computer security incidents. This document describes 17 the information model for the IODEF and provides an associated data 18 model specified with XML Schema. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on July 5, 2014. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 67 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 69 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 70 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 71 1.5. About the IODEF Implementation . . . . . . . . . . . . . 7 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8 77 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 78 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 79 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9 80 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9 81 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9 82 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10 83 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 84 2.12. Person or Organization . . . . . . . . . . . . . . . . . 10 85 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10 86 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10 87 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 88 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11 89 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11 90 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 12 91 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 14 92 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 14 93 3.3.2. Indicator Attributes . . . . . . . . . . . . . . . . 15 94 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 16 95 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17 96 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 17 97 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18 98 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 19 99 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 20 100 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 22 101 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 25 102 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 26 103 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 27 104 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 27 105 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 28 106 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 28 107 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 28 108 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 28 109 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29 110 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29 111 3.12. Method Class . . . . . . . . . . . . . . . . . . . . . . 29 112 3.12.1. Reference Class . . . . . . . . . . . . . . . . . . 30 113 3.13. Assessment Class . . . . . . . . . . . . . . . . . . . . 31 114 3.13.1. Impact Class . . . . . . . . . . . . . . . . . . . . 32 115 3.13.2. BusinessImpact Class . . . . . . . . . . . . . . . . 34 116 3.13.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 36 117 3.13.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 38 118 3.13.5. Confidence Class . . . . . . . . . . . . . . . . . . 38 119 3.14. History Class . . . . . . . . . . . . . . . . . . . . . . 39 120 3.14.1. HistoryItem Class . . . . . . . . . . . . . . . . . 40 121 3.15. EventData Class . . . . . . . . . . . . . . . . . . . . . 42 122 3.15.1. Relating the Incident and EventData Classes . . . . 44 123 3.15.2. Cardinality of EventData . . . . . . . . . . . . . . 44 124 3.16. Expectation Class . . . . . . . . . . . . . . . . . . . . 45 125 3.17. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 48 126 3.18. System Class . . . . . . . . . . . . . . . . . . . . . . 48 127 3.19. Node Class . . . . . . . . . . . . . . . . . . . . . . . 51 128 3.19.1. Address Class . . . . . . . . . . . . . . . . . . . 53 129 3.19.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 54 130 3.19.3. Counter Class . . . . . . . . . . . . . . . . . . . 56 131 3.20. DomainData Class . . . . . . . . . . . . . . . . . . . . 58 132 3.20.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 60 133 3.20.2. Nameservers Class . . . . . . . . . . . . . . . . . 61 134 3.20.3. DomainContacts Class . . . . . . . . . . . . . . . . 61 135 3.21. Service Class . . . . . . . . . . . . . . . . . . . . . . 62 136 3.21.1. ApplicationHeader Class . . . . . . . . . . . . . . 64 137 3.21.2. Application Class . . . . . . . . . . . . . . . . . 66 138 3.22. OperatingSystem Class . . . . . . . . . . . . . . . . . . 67 139 3.23. EmailData Class . . . . . . . . . . . . . . . . . . . . . 67 140 3.24. Record Class . . . . . . . . . . . . . . . . . . . . . . 68 141 3.24.1. RecordData Class . . . . . . . . . . . . . . . . . . 68 142 3.24.2. RecordPattern Class . . . . . . . . . . . . . . . . 70 143 3.24.3. RecordItem Class . . . . . . . . . . . . . . . . . . 71 144 3.25. WindowsRegistryKeysModified Class . . . . . . . . . . . . 71 145 3.25.1. Key Class . . . . . . . . . . . . . . . . . . . . . 72 146 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 73 147 4. Processing Considerations . . . . . . . . . . . . . . . . . . 75 148 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 75 149 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 76 150 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 76 151 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 77 152 5.1. Extending the Enumerated Values of Attributes . . . . . . 78 153 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 78 154 6. Internationalization Issues . . . . . . . . . . . . . . . . . 80 155 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 81 156 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 81 157 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 83 158 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 85 159 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 86 160 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 88 161 9. Security Considerations . . . . . . . . . . . . . . . . . . . 122 162 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 123 163 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 123 164 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 124 165 12.1. Normative References . . . . . . . . . . . . . . . . . . 124 166 12.2. Informative References . . . . . . . . . . . . . . . . . 125 168 1. Introduction 170 Organizations require help from other parties to mitigate malicious 171 activity targeting their network and to gain insight into potential 172 threats. This coordination might entail working with an ISP to 173 filter attack traffic, contacting a remote site to take down a bot- 174 network, or sharing watch-lists of known malicious IP addresses in a 175 consortium. 177 The Incident Object Description Exchange Format (IODEF) is a format 178 for representing computer security information commonly exchanged 179 between Computer Security Incident Response Teams (CSIRTs). It 180 provides an XML representation for conveying: 182 o cyber intelligence to characterize threats; 184 o cyber incident reports to document particular cyber security 185 events or relationships between events; 187 o cyber event mitigation to request proactive and reactive 188 mitigation approaches to cyber intelligence or incidents; and 190 o cyber information sharing meta-data so that these various classes 191 of information can be exchanged among parties. 193 The data model encodes information about hosts, networks, and the 194 services running on these systems; attack methodology and associated 195 forensic evidence; impact of the activity; and limited approaches for 196 documenting workflow. 198 The overriding purpose of the IODEF is to enhance the operational 199 capabilities of CSIRTs. Community adoption of the IODEF provides an 200 improved ability to resolve incidents and convey situational 201 awareness by simplifying collaboration and data sharing. This 202 structured format provided by the IODEF allows for: 204 o increased automation in processing of incident data, since the 205 resources of security analysts to parse free-form textual 206 documents will be reduced; 208 o decreased effort in normalizing similar data (even when highly 209 structured) from different sources; and 211 o a common format on which to build interoperable tools for incident 212 handling and subsequent analysis, specifically when data comes 213 from multiple constituencies. 215 Coordinating with other CSIRTs is not strictly a technical problem. 216 There are numerous procedural, trust, and legal considerations that 217 might prevent an organization from sharing information. The IODEF 218 does not attempt to address them. However, operational 219 implementations of the IODEF will need to consider this broader 220 context. 222 Sections 3 and 8 specify the IODEF data model with text and an XML 223 schema. The types used by the data model are covered in Section 2. 224 Processing considerations, the handling of extensions, and 225 internationalization issues related to the data model are covered in 226 Sections 4, 5, and 6, respectively. Examples are listed in 227 Section 7. Section 1 provides the background for the IODEF, and 228 Section 9 documents the security considerations. 230 1.1. Changes from 5070 232 This document contains changes with respect to its predecessor 233 RFC5070. 235 o All of the RFC5070 Errata was implemented. 237 o Imported the xmlns:ds namespace to include digital signature hash 238 classes. 240 o The attributes @indicator-uid and @indicator-set-id were added to 241 various classes to reference commonly shared indicators. 243 o The following classes and attributes were added to the Service 244 class: Email, EmailSubject, X-Mailer, DomainData, AssetID, 245 @virtual, and @ownership. 247 o The following classes were added to the Record class: FileName, 248 ds:Reference, and WindowsRegistryKeysModified. 250 o The following classes were added to the RelatedActivity class: 251 ThreatActor, Campaign, Confidence, Description, and 252 AdditionalData. 254 o The following classes were added to Node: PostalAddress 256 o The following classes were added to the Contact class: 257 ContactTitle. 259 o (for consideration) The following attributes was added to the 260 SoftwareType complexType: user-agent. 262 o Additional enumerated values were added to the following 263 attributes: @restriction, {Expectation, HistoryItem}@action, 264 NodeRole@category, Incident@purpose. 266 1.2. Terminology 268 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 269 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 270 document are to be interpreted as described in [RFC2119]. 272 Definitions for some of the common computer security-related 273 terminology used in this document can be found in Section 2 of 274 [refs.requirements]. 276 1.3. Notations 278 The normative IODEF data model is specified with the text in 279 Section 3 and the XML schema in Section 8. To help in the 280 understanding of the data elements, Section 3 also depicts the 281 underlying information model using Unified Modeling Language (UML). 282 This abstract presentation of the IODEF is not normative. 284 For clarity in this document, the term "XML document" will be used 285 when referring generically to any instance of an XML document. The 286 term "IODEF document" will be used to refer to specific elements and 287 attributes of the IODEF schema. The terms "class" and "element" will 288 be used interchangeably to reference either the corresponding data 289 element in the information or data models, respectively. 291 1.4. About the IODEF Data Model 293 The IODEF data model is a data representation that provides a 294 framework for sharing information commonly exchanged by CSIRTs about 295 computer security incidents. A number of considerations were made in 296 the design of the data model. 298 o The data model serves as a transport format. Therefore, its 299 specific representation is not the optimal representation for on- 300 disk storage, long-term archiving, or in-memory processing. 302 o As there is no precise widely agreed upon definition for an 303 incident, the data model does not attempt to dictate one through 304 its implementation. Rather, a broad understanding is assumed in 305 the IODEF that is flexible enough to encompass most operators. 307 o Describing an incident for all definitions would require an 308 extremely complex data model. Therefore, the IODEF only intends 309 to be a framework to convey commonly exchanged incident 310 information. It ensures that there are ample mechanisms for 311 extensibility to support organization-specific information, and 312 techniques to reference information kept outside of the explicit 313 data model. 315 o The domain of security analysis is not fully standardized and must 316 rely on free-form textual descriptions. The IODEF attempts to 317 strike a balance between supporting this free-form content, while 318 still allowing automated processing of incident information. 320 o The IODEF is only one of several security relevant data 321 representations being standardized. Attempts were made to ensure 322 they were complementary. The data model of the Intrusion 323 Detection Message Exchange Format [RFC4765] influenced the design 324 of the IODEF. 326 Further discussion of the desirable properties for the IODEF can be 327 found in the Requirements for the Format for Incident Information 328 Exchange (FINE) [refs.requirements]. 330 1.5. About the IODEF Implementation 332 The IODEF implementation is specified as an Extensible Markup 333 Language (XML) [W3C.XML] Schema [W3C.SCHEMA]. 335 Implementing the IODEF in XML provides numerous advantages. Its 336 extensibility makes it ideal for specifying a data encoding framework 337 that supports various character encodings. Likewise, the abundance 338 of related technologies (e.g., XSL, XPath, XML-Signature) makes for 339 simplified manipulation. However, XML is fundamentally a text 340 representation, which makes it inherently inefficient when binary 341 data must be embedded or large volumes of data must be exchanged. 343 2. IODEF Data Types 345 The various data elements of the IODEF data model are typed. This 346 section discusses these data types. When possible, native Schema 347 data types were adopted, but for more complicated formats, regular 348 expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external 349 standards were used. 351 2.1. Integers 353 An integer is represented by the INTEGER data type. Integer data 354 MUST be encoded in Base 10. 356 The INTEGER data type is implemented as an "xs:integer" in 357 [W3C.SCHEMA.DTYPES]. 359 2.2. Real Numbers 361 Real (floating-point) attributes are represented by the REAL data 362 type. Real data MUST be encoded in Base 10. 364 The REAL data type is implemented as an "xs:float" in 365 [W3C.SCHEMA.DTYPES]. 367 2.3. Characters and Strings 369 A single character is represented by the CHARACTER data type. A 370 character string is represented by the STRING data type. Special 371 characters must be encoded using entity references. See Section 4.1. 373 The CHARACTER and STRING data types are implement as an "xs:string" 374 in [W3C.SCHEMA.DTYPES]. 376 2.4. Multilingual Strings 378 STRING data that represents multi-character attributes in a language 379 different than the default encoding of the document is of the 380 ML_STRING data type. 382 The ML_STRING data type is implemented as an "iodef:MLStringType" in 383 the schema. 385 2.5. Bytes 387 A binary octet is represented by the BYTE data type. A sequence of 388 binary octets is represented by the BYTE[] data type. These octets 389 are encoded using base64. 391 The BYTE data type is implemented as an "xs:base64Binary" in 392 [W3C.SCHEMA.DTYPES]. 394 2.6. Hexadecimal Bytes 396 A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. 397 This octet is encoded as a character tuple consisting of two 398 hexadecimal digits. 400 The HEXBIN data type is implemented as an "xs:hexBinary" in 401 [W3C.SCHEMA.DTYPES]. 403 2.7. Enumerated Types 405 Enumerated types are represented by the ENUM data type, and consist 406 of an ordered list of acceptable values. Each value has a 407 representative keyword. Within the IODEF schema, the enumerated type 408 keywords are used as attribute values. 410 The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 411 schema. 413 2.8. Date-Time Strings 415 Date-time strings are represented by the DATETIME data type. Each 416 date-time string identifies a particular instant in time; ranges are 417 not supported. 419 Date-time strings are formatted according to a subset of [ISO8601] 420 documented in [RFC3339]. 422 The DATETIME data type is implemented as an "xs:dateTime" in the 423 schema. 425 2.9. Timezone String 427 A timezone offset from UTC is represented by the TIMEZONE data type. 428 It is formatted according to the following regular expression: 429 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 431 The TIMEZONE data type is implemented as an "xs:string" with a 432 regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular 433 expression is identical to the timezone representation implemented in 434 an "xs:dateTime". 436 2.10. Port Lists 438 A list of network ports are represented by the PORTLIST data type. A 439 PORTLIST consists of a comma-separated list of numbers and ranges 440 (N-M means ports N through M, inclusive). It is formatted according 441 to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". 442 For example, "2,5-15,30,32,40-50,55-60". 444 The PORTLIST data type is implemented as an "xs:string" with a 445 regular expression constraint in the schema. 447 2.11. Postal Address 449 A postal address is represented by the POSTAL data type. This data 450 type is an ML_STRING whose format is documented in Section 2.23 of 451 [RFC4519]. It defines a postal address as a free-form multi-line 452 string separated by the "$" character. 454 The POSTAL data type is implemented as an "xs:string" in the schema. 456 2.12. Person or Organization 458 The name of an individual or organization is represented by the NAME 459 data type. This data type is an ML_STRING whose format is documented 460 in Section 2.3 of [RFC4519]. 462 The NAME data type is implemented as an "xs:string" in the schema. 464 2.13. Telephone and Fax Numbers 466 A telephone or fax number is represented by the PHONE data type. The 467 format of the PHONE data type is documented in Section 2.35 of 468 [RFC4519]. 470 The PHONE data type is implemented as an "xs:string" in the schema. 472 2.14. Email String 474 An email address is represented by the EMAIL data type. The format 475 of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. 477 The EMAIL data type is implemented as an "xs:string" in the schema. 479 2.15. Uniform Resource Locator strings 481 A uniform resource locator (URL) is represented by the URL data type. 482 The format of the URL data type is documented in [RFC3986]. 484 The URL data type is implemented as an "xs:anyURI" in the schema. 486 3. The IODEF Data Model 488 In this section, the individual components of the IODEF data model 489 will be discussed in detail. For each class, the semantics will be 490 described and the relationship with other classes will be depicted 491 with UML. When necessary, specific comments will be made about 492 corresponding definition in the schema in Section 8 494 3.1. IODEF-Document Class 496 The IODEF-Document class is the top level class in the IODEF data 497 model. All IODEF documents are an instance of this class. 499 +-----------------+ 500 | IODEF-Document | 501 +-----------------+ 502 | STRING version |<>--{1..*}--[ Incident ] 503 | ENUM lang |<>--{0..*}--[ AdditionalData ] 504 | STRING formatid | 505 +-----------------+ 507 Figure 1: IODEF-Document Class 509 The aggregate class that constitute IODEF-Document is: 511 Incident 512 One or more. The information related to a single incident. 514 AdditionalData 515 Zero or more. Mechanism by which to extend the data model. See 516 Section 3.9 518 The IODEF-Document class has three attributes: 520 version 521 Required. STRING. The IODEF specification version number to 522 which this IODEF document conforms. The value of this attribute 523 MUST be "2.00" 525 lang 526 Required. ENUM. A valid language code per [RFC4646] constrained 527 by the definition of "xs:language". The interpretation of this 528 code is described in Section 6. 530 formatid 531 Optional. STRING. A free-form string to convey processing 532 instructions to the recipient of the document. Its semantics must 533 be negotiated out-of-band. 535 3.2. Incident Class 537 Every incident is represented by an instance of the Incident class. 538 This class provides a standardized representation for commonly 539 exchanged incident data. 541 +-------------------------+ 542 | Incident | 543 +-------------------------+ 544 | ENUM purpose |<>----------[ IncidentID ] 545 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 546 | ENUM lang |<>--{0..*}--[ RelatedActivity ] 547 | ENUM restriction |<>--{0..1}--[ DetectTime ] 548 | STRING indicator-uid |<>--{0..1}--[ StartTime ] 549 | STRING indicator-set-id |<>--{0..1}--[ EndTime ] 550 | |<>----------[ ReportTime ] 551 | |<>--{0..*}--[ Description ] 552 | |<>--{1..*}--[ Assessment ] 553 | |<>--{0..*}--[ Method ] 554 | |<>--{1..*}--[ Contact ] 555 | |<>--{0..*}--[ EventData ] 556 | |<>--{0..1}--[ History ] 557 | |<>--{0..*}--[ AdditionalData ] 558 +-------------------------+ 560 Figure 2: The Incident Class 562 The aggregate classes that constitute Incident are: 564 IncidentID 565 One. An incident tracking number assigned to this incident by the 566 CSIRT that generated the IODEF document. 568 AlternativeID 569 Zero or one. The incident tracking numbers used by other CSIRTs 570 to refer to the incident described in the document. 572 RelatedActivity 573 Zero or many. Related activity and attribution of this activity. 575 DetectTime 576 Zero or one. The time the incident was first detected. 578 StartTime 579 Zero or one. The time the incident started. 581 EndTime 582 Zero or one. The time the incident ended. 584 ReportTime 585 One. The time the incident was reported. 587 Description 588 Zero or more. ML_STRING. A free-form textual description of the 589 incident. 591 Assessment 592 One or more. A characterization of the impact of the incident. 594 Method 595 Zero or more. The techniques used by the intruder in the 596 incident. 598 Contact 599 One or more. Contact information for the parties involved in the 600 incident. 602 EventData 603 Zero or more. Description of the events comprising the incident. 605 History 606 Zero or one. A log of significant events or actions that occurred 607 during the course of handling the incident. 609 AdditionalData 610 Zero or more. Mechanism by which to extend the data model. 612 The Incident class has five attributes: 614 purpose 615 Required. ENUM. The purpose attribute represents the reason why 616 the IODEF document was created. It is closely related to the 617 Expectation class (Section 3.16). This attribute is defined as an 618 enumerated list: 620 1. traceback. The document was sent for trace-back purposes. 622 2. mitigation. The document was sent to request aid in 623 mitigating the described activity. 625 3. reporting. The document was sent to comply with reporting 626 requirements. 628 4. watch. The document was sent to convey indicators to watch 629 for particular activity. 631 5. other. The document was sent for purposes specified in the 632 Expectation class. 634 6. ext-value. An escape value used to extend this attribute. 635 See Section 5.1. 637 ext-purpose 638 Optional. STRING. A means by which to extend the purpose 639 attribute. See Section 5.1. 641 lang 642 Optional. ENUM. A valid language code per [RFC4646] constrained 643 by the definition of "xs:language". The interpretation of this 644 code is described in Section 6. 646 restriction 647 Optional. ENUM. See Section 3.3.1. 649 indicator-uid 650 Optional. STRING. See Section 3.3.2. 652 indicator-set-id 653 Optional. STRING. See Section 3.3.2. 655 3.3. Common Attributes 657 There are a number of recurring attributes used by the data model. 658 They are documented in this section. 660 3.3.1. restriction Attribute 662 The restriction attribute indicates the disclosure guidelines to 663 which the sender expects the recipient to adhere for the information 664 represented in this class and its children. This guideline provides 665 no security since there are no specified technical means to ensure 666 that the recipient of the document handles the information as the 667 sender requested. 669 The value of this attribute is logically inherited by the children of 670 this class. That is to say, the disclosure rules applied to this 671 class, also apply to its children. 673 It is possible to set a granular disclosure policy, since all of the 674 high-level classes (i.e., children of the Incident class) have a 675 restriction attribute. Therefore, a child can override the 676 guidelines of a parent class, be it to restrict or relax the 677 disclosure rules (e.g., a child has a weaker policy than an ancestor; 678 or an ancestor has a weak policy, and the children selectively apply 679 more rigid controls). The implicit value of the restriction 680 attribute for a class that did not specify one can be found in the 681 closest ancestor that did specify a value. 683 This attribute is defined as an enumerated value with a default value 684 of "private". Note that the default value of the restriction 685 attribute is only defined in the context of the Incident class. In 686 other classes where this attribute is used, no default is specified. 688 1. public. The information can be freely distributed without 689 restriction. 691 2. partner. The information may be shared within a closed community 692 of peers, partners, or affected parties, but cannot be openly 693 published. 695 3. need-to-know. The information may be shared only within the 696 organization with individuals that have a need to know. 698 4. private. The information may not be shared. 700 5. default. The information can be shared according to an 701 information disclosure policy pre-arranged by the communicating 702 parties. 704 6. white. Same as 'public'. 706 7. green. Same as 'partner'. 708 8. amber. Same as 'need-to-know'. 710 9. red. Same as 'private'. 712 3.3.2. Indicator Attributes 714 For data elements that are commonly used as indicators, the data 715 model uses four attributes to facilitate their ... 717 indicator-uid 718 STRING. See Section 3.3.2. 720 indicator-set-id 721 STRING. See Section 3.3.2. 723 3.4. IncidentID Class 725 The IncidentID class represents an incident tracking number that is 726 unique in the context of the CSIRT and identifies the activity 727 characterized in an IODEF Document. This identifier would serve as 728 an index into the CSIRT incident handling system. The combination of 729 the name attribute and the string in the element content MUST be a 730 globally unique identifier describing the activity. Documents 731 generated by a given CSIRT MUST NOT reuse the same value unless they 732 are referencing the same incident. 734 +------------------+ 735 | IncidentID | 736 +------------------+ 737 | STRING | 738 | | 739 | STRING name | 740 | STRING instance | 741 | ENUM restriction | 742 +------------------+ 744 Figure 3: The IncidentID Class 746 The IncidentID class has three attributes: 748 name 749 Required. STRING. An identifier describing the CSIRT that 750 created the document. In order to have a globally unique CSIRT 751 name, the fully qualified domain name associated with the CSIRT 752 MUST be used. 754 instance 755 Optional. STRING. An identifier referencing a subset of the 756 named incident. 758 restriction 759 Optional. ENUM. See Section 3.3.1. The default value is 760 "public". 762 3.5. AlternativeID Class 764 The AlternativeID class lists the incident tracking numbers used by 765 CSIRTs, other than the one generating the document, to refer to the 766 identical activity described in the IODEF document. A tracking 767 number listed as an AlternativeID references the same incident 768 detected by another CSIRT. The incident tracking numbers of the 769 CSIRT that generated the IODEF document must never be considered an 770 AlternativeID. 772 +------------------+ 773 | AlternativeID | 774 +------------------+ 775 | ENUM restriction |<>--{1..*}--[ IncidentID ] 776 | | 777 +------------------+ 779 Figure 4: The AlternativeID Class 781 The aggregate class that constitutes AlternativeID is: 783 IncidentID 784 One or more. The incident tracking number of another CSIRT. 786 The AlternativeID class has one attribute: 788 restriction 789 Optional. ENUM. This attribute has been defined in Section 3.2. 791 3.6. RelatedActivity Class 793 The RelatedActivity class relates the information described in the 794 rest of the IODEF document to previously observed incidents or 795 activity; and allows attribution to a specific actor or campaign. 797 +------------------+ 798 | RelatedActivity | 799 +------------------+ 800 | ENUM restriction |<>--{0..*}--[ IncidentID ] 801 | |<>--{0..*}--[ URL ] 802 | |<>--{0..*}--[ ThreatActor ] 803 | |<>--{0..*}--[ Campaign ] 804 | |<>--{0..1}--[ Confidence ] 805 | |<>--{0..*}--[ Description ] 806 | |<>--{0..*}--[ AdditionalData ] 807 +------------------+ 809 Figure 5: RelatedActivity Class 811 The aggregate classes that constitutes RelatedActivity are: 813 IncidentID 814 One or more. The incident tracking number of a related incident. 816 URL 817 One or more. URL. A URL to activity related to this incident. 819 ThreatActor 820 One or more. The threat actor to whom the described activity is 821 attributed. 823 Campaign 824 One or more. The campaign of a given threat actor to whom the 825 described activity is attributed. 827 Confidence 828 Zero or one. An estimate of the confidence in attributing this 829 RelatedActivity to the event described in the document. 831 Description 832 Zero or many. ML_STRING. A description of how these 833 relationships were derived. 835 AdditionalData 836 Zero or many. A mechanism by which to extend the data model. 838 RelatedActivity MUST at least have one instance of IncidentID, URL, 839 ThreatActor, or Campaign. 841 The RelatedActivity class has one attribute: 843 restriction 844 Optional. ENUM. See Section 3.3.1. 846 3.7. ThreatActor Class 848 The ThreatActor class describes a given actor. 850 +------------------+ 851 | Actor | 852 +------------------+ 853 | ENUM restriction |<>--{0..1}--[ ThreatActorID ] 854 | |<>--{0..*}--[ Description ] 855 | |<>--{0..*}--[ AdditionalData ] 856 +------------------+ 858 Figure 6: ThreatActor Class 860 The aggregate classes that constitutes ThreatActor are: 862 ThreatActorID 863 One or more. STRING. An identifier for the ThreatActor. 865 Description 866 One or more. ML_STRING. A description of the ThreatActor. 868 AdditionalData 869 Zero or many. A mechanism by which to extend the data model. 871 ThreatActor MUST have at least one instance of a ThreatActorID or 872 Description. 874 The ThreatActor class has one attribute: 876 restriction 877 Optional. ENUM. See Section 3.3.1. 879 3.8. Campaign Class 881 The Campaign class describes a ... 883 +------------------+ 884 | Campaign | 885 +------------------+ 886 | ENUM restriction |<>--{0..1}--[ CampaignID ] 887 | |<>--{0..*}--[ Description ] 888 | |<>--{0..*}--[ AdditionalData ] 889 +------------------+ 891 Figure 7: Campaign Class 893 The aggregate classes that constitutes Campaign are: 895 CampaignID 896 One or more. STRING. An identifier for the Campaign. 898 Description 899 One or more. ML_STRING. A description of the Campaign. 901 AdditionalData 902 Zero or many. A mechanism by which to extend the data model. 904 Campaign MUST have at least one instance of a Campaign or 905 Description. 907 The Campaign class has one attribute: 909 restriction 910 Optional. ENUM. See Section 3.3.1. 912 3.9. AdditionalData Class 914 The AdditionalData class serves as an extension mechanism for 915 information not otherwise represented in the data model. For 916 relatively simple information, atomic data types (e.g., integers, 917 strings) are provided with a mechanism to annotate their meaning. 918 The class can also be used to extend the data model (and the 919 associated Schema) to support proprietary extensions by encapsulating 920 entire XML documents conforming to another Schema. A detailed 921 discussion for extending the data model and the schema can be found 922 in Section 5. 924 Unlike XML, which is self-describing, atomic data must be documented 925 to convey its meaning. This information is described in the 926 'meaning' attribute. Since these description are outside the scope 927 of the specification, some additional coordination may be required to 928 ensure that a recipient of a document using the AdditionalData 929 classes can make sense of the custom extensions. 931 +------------------+ 932 | AdditionalData | 933 +------------------+ 934 | ANY | 935 | | 936 | ENUM dtype | 937 | STRING ext-dtype | 938 | STRING meaning | 939 | STRING formatid | 940 | ENUM restriction | 941 +------------------+ 943 Figure 8: The AdditionalData Class 945 The AdditionalData class has five attributes: 947 dtype 948 Required. ENUM. The data type of the element content. The 949 permitted values for this attribute are shown below. The default 950 value is "string". 952 1. boolean. The element content is of type BOOLEAN. 954 2. byte. The element content is of type BYTE. 956 3. bytes. The element content is of type HEXBIN. 958 4. character. The element content is of type CHARACTER. 960 5. date-time. The element content is of type DATETIME. 962 6. ntpstamp. Same as date-time. 964 7. integer. The element content is of type INTEGER. 966 8. portlist. The element content is of type PORTLIST. 968 9. real. The element content is of type REAL. 970 10. string. The element content is of type STRING. 972 11. file. The element content is a base64 encoded binary file 973 encoded as a BYTE[] type. 975 12. path. The element content is a file-system path encoded as a 976 STRING type. 978 13. frame. The element content is a layer-2 frame encoded as a 979 HEXBIN type. 981 14. packet. The element content is a layer-3 packet encoded as a 982 HEXBIN type. 984 15. ipv4-packet. The element content is an IPv4 packet encoded 985 as a HEXBIN type. 987 16. ipv6-packet. The element content is an IPv6 packet encoded 988 as a HEXBIN type. 990 17. url. The element content is of type URL. 992 18. csv. The element content is a common separated value (CSV) 993 list per Section 2 of [RFC4180] encoded as a STRING type. 995 19. winreg. The element content is a Windows registry key 996 encoded as a STRING type. 998 20. xml. The element content is XML. See Section 5. 1000 21. ext-value. An escape value used to extend this attribute. 1001 See Section 5.1. 1003 ext-dtype 1004 Optional. STRING. A means by which to extend the dtype 1005 attribute. See Section 5.1. 1007 meaning 1008 Optional. STRING. A free-form description of the element 1009 content. 1011 formatid 1012 Optional. STRING. An identifier referencing the format and 1013 semantics of the element content. 1015 restriction 1016 Optional. ENUM. See Section 3.3.1. 1018 3.10. Contact Class 1020 The Contact class describes contact information for organizations and 1021 personnel involved in the incident. This class allows for the naming 1022 of the involved party, specifying contact information for them, and 1023 identifying their role in the incident. 1025 People and organizations are treated interchangeably as contacts; one 1026 can be associated with the other using the recursive definition of 1027 the class (the Contact class is aggregated into the Contact class). 1028 The 'type' attribute disambiguates the type of contact information 1029 being provided. 1031 The inheriting definition of Contact provides a way to relate 1032 information without requiring the explicit use of identifiers in the 1033 classes or duplication of data. A complete point of contact is 1034 derived by a particular traversal from the root Contact class to the 1035 leaf Contact class. As such, multiple points of contact might be 1036 specified in a single instance of a Contact class. Each child 1037 Contact class logically inherits contact information from its 1038 ancestors. 1040 +------------------+ 1041 | Contact | 1042 +------------------+ 1043 | ENUM role |<>--{0..1}--[ ContactName ] 1044 | STRING ext-role |<>--{0..1}--[ ContactTitle ] 1045 | ENUM type |<>--{0..*}--[ Description ] 1046 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1047 | ENUM restriction |<>--{0..1}--[ PostalAddress ] 1048 | |<>--{0..*}--[ Email ] 1049 | |<>--{0..*}--[ Telephone ] 1050 | |<>--{0..1}--[ Fax ] 1051 | |<>--{0..1}--[ Timezone ] 1052 | |<>--{0..*}--[ Contact ] 1053 | |<>--{0..*}--[ AdditionalData ] 1054 +------------------+ 1056 Figure 9: The Contact Class 1058 The aggregate classes that constitute the Contact class are: 1060 ContactName 1061 Zero or one. ML_STRING. The name of the contact. The contact 1062 may either be an organization or a person. The type attribute 1063 disambiguates the semantics. 1065 ContactTitle 1066 Zero or one. ML_STRING. The title for the individual named in 1067 the ContactName. 1069 Description 1070 Zero or many. ML_STRING. A free-form description of this 1071 contact. In the case of a person, this is often the 1072 organizational title of the individual. 1074 RegistryHandle 1075 Zero or many. A handle name into the registry of the contact. 1077 PostalAddress 1078 Zero or one. The postal address of the contact. 1080 Email 1081 Zero or many. The email address of the contact. 1083 Telephone 1084 Zero or many. The telephone number of the contact. 1086 Fax 1087 Zero or one. The facsimile telephone number of the contact. 1089 Timezone 1090 Zero or one. TIMEZONE. The timezone in which the contact resides 1091 formatted according to Section 2.9. 1093 Contact 1094 Zero or many. A Contact instance contained within another Contact 1095 instance inherits the values of the parent(s). This recursive 1096 definition can be used to group common data pertaining to multiple 1097 points of contact and is especially useful when listing multiple 1098 contacts at the same organization. 1100 AdditionalData 1101 Zero or many. A mechanism by which to extend the data model. 1103 At least one of the aggregate classes MUST be present in an instance 1104 of the Contact class. This is not enforced in the IODEF schema as 1105 there is no simple way to accomplish it. 1107 The Contact class has five attributes: 1109 role 1110 Required. ENUM. Indicates the role the contact fulfills. This 1111 attribute is defined as an enumerated list: 1113 1. creator. The entity that generate the document. 1115 2. reporter. The entity that reported the information. 1117 3. admin. An administrative contact or business owner for an 1118 asset or organization. 1120 4. tech. An entity responsible for the day-to-day management of 1121 technical issues for an asset or organization. 1123 5. provider. An external hosting provider for an asset. 1125 6. zone. An entity with authority over a DNS zone. 1127 7. user. An end-user of an asset or part of an organization. 1129 8. billing. An entity responsible for billing issues for an 1130 asset or organization. 1132 9. legal. An entity responsible for legal issue related to an 1133 asset or organization. 1135 10. irt. An entity responsible for handling security issues for 1136 an asset or organization. 1138 11. abuse. An entity responsible for handling abuse originating 1139 from an asset or organization. 1141 12. cc. An entity that is to be kept informed about the events 1142 related to an asset or organization. 1144 13. cc-irt. A CSIRT or information sharing organization 1145 coordinating activity related to an asset or organization. 1147 14. le. A law enforcement entity supporting the investigation of 1148 activity affecting an asset or organization. 1150 15. ext-value. An escape value used to extend this attribute. 1151 See Section 5.1. 1153 ext-role 1154 Optional. STRING. A means by which to extend the role attribute. 1155 See Section 5.1. 1157 type 1158 Required. ENUM. Indicates the type of contact being described. 1159 This attribute is defined as an enumerated list: 1161 1. person. The information for this contact references an 1162 individual. 1164 2. organization. The information for this contact references an 1165 organization. 1167 3. ext-value. An escape value used to extend this attribute. 1168 See Section 5.1. 1170 ext-type 1171 Optional. STRING. A means by which to extend the type attribute. 1172 See Section 5.1. 1174 restriction 1175 Optional. ENUM. This attribute is defined in Section 3.2. 1177 3.10.1. RegistryHandle Class 1179 The RegistryHandle class represents a handle into an Internet 1180 registry or community-specific database. The handle is specified in 1181 the element content and the type attribute specifies the database. 1183 +---------------------+ 1184 | RegistryHandle | 1185 +---------------------+ 1186 | STRING | 1187 | | 1188 | ENUM registry | 1189 | STRING ext-registry | 1190 +---------------------+ 1192 Figure 10: The RegistryHandle Class 1194 The RegistryHandle class has two attributes: 1196 registry 1197 Required. ENUM. The database to which the handle belongs. The 1198 possible values are: 1200 1. internic. Internet Network Information Center 1202 2. apnic. Asia Pacific Network Information Center 1204 3. arin. American Registry for Internet Numbers 1206 4. lacnic. Latin-American and Caribbean IP Address Registry 1208 5. ripe. Reseaux IP Europeens 1210 6. afrinic. African Internet Numbers Registry 1212 7. local. A database local to the CSIRT 1214 8. ext-value. An escape value used to extend this attribute. 1215 See Section 5.1. 1217 ext-registry 1218 Optional. STRING. A means by which to extend the registry 1219 attribute. See Section 5.1. 1221 3.10.2. PostalAddress Class 1223 The PostalAddress class specifies a postal address formatted 1224 according to the POSTAL data type (Section 2.11). 1226 +---------------------+ 1227 | PostalAddress | 1228 +---------------------+ 1229 | POSTAL | 1230 | | 1231 | ENUM meaning | 1232 | ENUM lang | 1233 +---------------------+ 1235 Figure 11: The PostalAddress Class 1237 The PostalAddress class has two attributes: 1239 meaning 1240 Optional. ENUM. A free-form description of the element content. 1242 lang 1243 Optional. ENUM. A valid language code per [RFC4646] constrained 1244 by the definition of "xs:language". The interpretation of this 1245 code is described in Section 6. 1247 3.10.3. Email Class 1249 The Email class specifies an email address formatted according to 1250 EMAIL data type (Section 2.14). 1252 +--------------+ 1253 | Email | 1254 +--------------+ 1255 | EMAIL | 1256 | | 1257 | ENUM meaning | 1258 +--------------+ 1260 Figure 12: The Email Class 1262 The Email class has one attribute: 1264 meaning 1265 Optional. ENUM. A free-form description of the element content. 1267 3.10.4. Telephone and Fax Classes 1269 The Telephone and Fax classes specify a voice or fax telephone number 1270 respectively, and are formatted according to PHONE data type 1271 (Section 2.13). 1273 +--------------------+ 1274 | {Telephone | Fax } | 1275 +--------------------+ 1276 | PHONE | 1277 | | 1278 | ENUM meaning | 1279 +--------------------+ 1281 Figure 13: The Telephone and Fax Classes 1283 The Telephone class has one attribute: 1285 meaning 1286 Optional. ENUM. A free-form description of the element content 1287 (e.g., hours of coverage for a given number). 1289 3.11. Time Classes 1291 The data model uses five different classes to represent a timestamp. 1292 Their definition is identical, but each has a distinct name to convey 1293 a difference in semantics. 1295 The element content of each class is a timestamp formatted according 1296 to the DATETIME data type (see Section 2.8). 1298 +----------------------------------+ 1299 | {Start| End| Report| Detect}Time | 1300 +----------------------------------+ 1301 | DATETIME | 1302 +----------------------------------+ 1304 Figure 14: The Time Classes 1306 3.11.1. StartTime Class 1308 The StartTime class represents the time the incident began. 1310 3.11.2. EndTime Class 1312 The EndTime class represents the time the incident ended. 1314 3.11.3. DetectTime Class 1316 The DetectTime class represents the time the first activity of the 1317 incident was detected. 1319 3.11.4. ReportTime Class 1321 The ReportTime class represents the time the incident was reported. 1322 This timestamp MUST be the time at which the IODEF document was 1323 generated. 1325 3.11.5. DateTime 1327 The DateTime class is a generic representation of a timestamp. Infer 1328 its semantics from the parent class in which it is aggregated. 1330 3.12. Method Class 1332 The Method class describes the methodology used by the intruder to 1333 perpetrate the events of the incident. This class consists of a list 1334 of references describing the attack method and a free form 1335 description of the technique. 1337 +------------------+ 1338 | Method | 1339 +------------------+ 1340 | ENUM restriction |<>--{0..*}--[ Reference ] 1341 | |<>--{0..*}--[ Description ] 1342 | |<>--{0..*}--[ AdditionalData ] 1343 +------------------+ 1345 Figure 15: The Method Class 1347 The Method class is composed of three aggregate classes. 1349 Reference 1350 Zero or many. A reference to a vulnerability, malware sample, 1351 advisory, or analysis of an attack technique. 1353 Description 1354 Zero or many. ML_STRING. A free-form text description of the 1355 methodology used by the intruder. 1357 AdditionalData 1358 Zero or many. A mechanism by which to extend the data model. 1360 Either an instance of the Reference or Description class MUST be 1361 present. 1363 The Method class has one attribute: 1365 restriction 1366 Optional. ENUM. This attribute is defined in Section 3.2. 1368 3.12.1. Reference Class 1370 The Reference class is a reference to a vulnerability, IDS alert, 1371 malware sample, advisory, or attack technique. A reference consists 1372 of a name, a URL to this reference, and an optional description. 1374 +-------------------------+ 1375 | Reference | 1376 +-------------------------+ 1377 | ENUM attacktype |<>----------[ ReferenceName ] 1378 | STRING ext-attacktype |<>--{0..*}--[ URL ] 1379 | STRING indicator-uid |<>--{0..*}--[ Description ] 1380 | STRING indicator-set-id | 1381 +-------------------------+ 1383 Figure 16: The Reference Class 1385 The aggregate classes that constitute Reference: 1387 ReferenceName 1388 One. ML_STRING. Name of the reference. 1390 URL 1391 Zero or many. URL. A URL associated with the reference. 1393 Description 1394 Zero or many. ML_STRING. A free-form text description of this 1395 reference. 1397 The Reference class has 4 attributes. 1399 attacktype 1400 Optional. ENUM. TODO. 1402 ext-attacktype 1403 Optional. STRING. A mechanism by which to extend the Attack 1404 Type. 1406 indicator-uid 1407 Optional. STRING. See Section 3.3.2. 1409 indicator-set-id 1410 Optional. STRING. See Section 3.3.2. 1412 3.13. Assessment Class 1414 The Assessment class describes the repercussions of the incident to 1415 the victim. 1417 +-------------------------+ 1418 | Assessment | 1419 +-------------------------+ 1420 | ENUM occurrence |<>--{0..*}--[ Impact ] 1421 | ENUM restriction |<>--{0..*}--[ BusinessImpact ] 1422 | STRING indicator-uid |<>--{0..*}--[ TimeImpact ] 1423 | STRING indicator-set-id |<>--{0..*}--[ MonetaryImpact ] 1424 | |<>--{0..*}--[ Counter ] 1425 | |<>--{0..1}--[ Confidence ] 1426 | |<>--{0..*}--[ AdditionalData ] 1427 +-------------------------+ 1429 Figure 17: Assessment Class 1431 The aggregate classes that constitute Assessment are: 1433 Impact 1434 Zero or many. Technical characterization of the impact of the 1435 activity on the victim's enterprise. 1437 BusinessImpact 1438 Zero or many. Impact of the activity on the business functions of 1439 the victim organization. 1441 TimeImpact 1442 Zero or many. Impact of the activity measured with respect to 1443 time. 1445 MonetaryImpact 1446 Zero or many. Impact of the activity measured with respect to 1447 financial loss. 1449 Counter 1450 Zero or more. A counter with which to summarize the magnitude of 1451 the activity. 1453 Confidence 1454 Zero or one. An estimate of confidence in the assessment. 1456 AdditionalData 1457 Zero or many. A mechanism by which to extend the data model. 1459 A least one instance of the possible three impact classes (i.e., 1460 Impact, TimeImpact, or MonetaryImpact) MUST be present. 1462 The Assessment class has four attributes: 1464 occurrence 1465 Optional. ENUM. Specifies whether the assessment is describing 1466 actual or potential outcomes. 1468 1. actual. This assessment describes activity that has occurred. 1470 2. potential. This assessment describes potential activity that 1471 might occur. 1473 restriction 1474 Optional. ENUM. This attribute is defined in Section 3.2. 1476 indicator-uid 1477 Optional. STRING. See Section 3.3.2. 1479 indicator-set-id 1480 Optional. STRING. See Section 3.3.2. 1482 3.13.1. Impact Class 1484 The Impact class allows for categorizing and describing the technical 1485 impact of the incident on the network of an organization. 1487 This class is based on [RFC4765]. 1489 +------------------+ 1490 | Impact | 1491 +------------------+ 1492 | ML_STRING | 1493 | | 1494 | ENUM lang | 1495 | ENUM severity | 1496 | ENUM completion | 1497 | ENUM type | 1498 | STRING ext-type | 1499 +------------------+ 1501 Figure 18: Impact Class 1503 The element content will be a free-form textual description of the 1504 impact. 1506 The Impact class has five attributes: 1508 lang 1509 Optional. ENUM. A valid language code per [RFC4646] constrained 1510 by the definition of "xs:language". The interpretation of this 1511 code is described in Section 6. 1513 severity 1514 Optional. ENUM. An estimate of the relative severity of the 1515 activity. The permitted values are shown below. There is no 1516 default value. 1518 1. low. Low severity 1520 2. medium. Medium severity 1522 3. high. High severity 1524 completion 1525 Optional. ENUM. An indication whether the described activity was 1526 successful. The permitted values are shown below. There is no 1527 default value. 1529 1. failed. The attempted activity was not successful. 1531 2. succeeded. The attempted activity succeeded. 1533 type 1534 Required. ENUM. Classifies the malicious activity into incident 1535 categories. The permitted values are shown below. The default 1536 value is "other". 1538 1. admin. Administrative privileges were attempted. 1540 2. dos. A denial of service was attempted. 1542 3. file. An action that impacts the integrity of a file or 1543 database was attempted. 1545 4. info-leak. An attempt was made to exfiltrate information. 1547 5. misconfiguration. An attempt was made to exploit a mis- 1548 configuration in a system. 1550 6. policy. Activity violating site's policy was attempted. 1552 7. recon. Reconnaissance activity was attempted. 1554 8. social-engineering. A social engineering attack was 1555 attempted. 1557 9. user. User privileges were attempted. 1559 10. unknown. The classification of this activity is unknown. 1561 11. ext-value. An escape value used to extend this attribute. 1562 See Section 5.1. 1564 ext-type 1565 Optional. STRING. A means by which to extend the type attribute. 1566 See Section 5.1. 1568 3.13.2. BusinessImpact Class 1570 The BusinessImpact class describes and characterizes the degree to 1571 which the function of the organization was impacted by the Incident. 1573 The element body describes the impact to the organization as a free- 1574 form text string. The two attributes characterize the impact. 1576 +-------------------------+ 1577 | BusinessImpact | 1578 +-------------------------+ 1579 | ML_STRING | 1580 | | 1581 | ENUM severity | 1582 | STRING ext-severity | 1583 | ENUM type | 1584 | STRING ext-type | 1585 +-------------------------+ 1587 Figure 19: BusinessImpact Class 1589 The element content will be a free-form textual description of the 1590 impact to the organization. 1592 The BusinessImpact class has four attributes: 1594 severity 1595 Optional. ENUM. Characeterizes the severity of the incident on 1596 business functions. The permitted values are shown below. They 1597 were derived from Table 3-2 of [NIST800.61rev2]. The default 1598 value is "unknown". 1600 1. none. No effect to the organization's ability to provide all 1601 services to all users. 1603 2. low. Minimal effect as the organization can still provide all 1604 critical services to all users but has lost efficiency. 1606 3. medium. The organization has lost the ability to provide a 1607 critical service to a subset of system users. 1609 4. high. The organization is no longer able to provide some 1610 critical services to any users. 1612 5. unknown. The impact is not known. 1614 6. ext-value. An escape value used to extend this attribute. 1615 See Section 5.1. 1617 ext-severity 1618 Optional. STRING. A means by which to extend the severity 1619 attribute. See Section 5.1. 1621 type 1622 Required. ENUM. Characterizes the effect this incident had on 1623 the business.Classifies the malicious activity into incident 1624 categories. The permitted values are shown below. There is no 1625 default value. 1627 1. breach-proprietary. Senstive or proprietary information was 1628 accessed or exfiltrated. 1630 2. breach-privacy. Personally identifiable information was 1631 accessed or exfiltrated. 1633 3. loss-of-integrity. Sensitive or proprietary information was 1634 changed or deleted. 1636 4. loss-of-service. Service delivery was disrupted. 1638 5. loss-financial. Money or services were stolen. 1640 6. degraded-reputation. The reputation of the organization's 1641 brand was diminished. 1643 7. asset-damage. A cyber-physical system was damaged. 1645 8. asset-manipulation. A cyber-physical system was manipulated. 1647 9. legal. Incident resulted in legal or regulatory action 1648 10. ext-value. An escape value used to extend this attribute. 1649 See Section 5.1. 1651 ext-type 1652 Optional. STRING. A means by which to extend the type attribute. 1653 See Section 5.1. 1655 3.13.3. TimeImpact Class 1657 The TimeImpact class describes the impact of the incident on an 1658 organization as a function of time. It provides a way to convey down 1659 time and recovery time. 1661 +---------------------+ 1662 | TimeImpact | 1663 +---------------------+ 1664 | REAL | 1665 | | 1666 | ENUM severity | 1667 | ENUM metric | 1668 | STRING ext-metric | 1669 | ENUM duration | 1670 | STRING ext-duration | 1671 +---------------------+ 1673 Figure 20: TimeImpact Class 1675 The element content is a positive, floating point (REAL) number 1676 specifying a unit of time. The duration and metric attributes will 1677 imply the semantics of the element content. 1679 The TimeImpact class has five attributes: 1681 severity 1682 Optional. ENUM. An estimate of the relative severity of the 1683 activity. The permitted values are shown below. There is no 1684 default value. 1686 1. low. Low severity 1688 2. medium. Medium severity 1690 3. high. High severity 1692 metric 1693 Required. ENUM. Defines the metric in which the time is 1694 expressed. The permitted values are shown below. There is no 1695 default value. 1697 1. labor. Total staff-time to recovery from the activity (e.g., 1698 2 employees working 4 hours each would be 8 hours). 1700 2. elapsed. Elapsed time from the beginning of the recovery to 1701 its completion (i.e., wall-clock time). 1703 3. downtime. Duration of time for which some provided service(s) 1704 was not available. 1706 4. ext-value. An escape value used to extend this attribute. 1707 See Section 5.1. 1709 ext-metric 1710 Optional. STRING. A means by which to extend the metric 1711 attribute. See Section 5.1. 1713 duration 1714 Optional. ENUM. Defines a unit of time, that when combined with 1715 the metric attribute, fully describes a metric of impact that will 1716 be conveyed in the element content. The permitted values are 1717 shown below. The default value is "hour". 1719 1. second. The unit of the element content is seconds. 1721 2. minute. The unit of the element content is minutes. 1723 3. hour. The unit of the element content is hours. 1725 4. day. The unit of the element content is days. 1727 5. month. The unit of the element content is months. 1729 6. quarter. The unit of the element content is quarters. 1731 7. year. The unit of the element content is years. 1733 8. ext-value. An escape value used to extend this attribute. 1734 See Section 5.1. 1736 ext-duration 1737 Optional. STRING. A means by which to extend the duration 1738 attribute. See Section 5.1. 1740 3.13.4. MonetaryImpact Class 1742 The MonetaryImpact class describes the financial impact of the 1743 activity on an organization. For example, this impact may consider 1744 losses due to the cost of the investigation or recovery, diminished 1745 productivity of the staff, or a tarnished reputation that will affect 1746 future opportunities. 1748 +------------------+ 1749 | MonetaryImpact | 1750 +------------------+ 1751 | REAL | 1752 | | 1753 | ENUM severity | 1754 | STRING currency | 1755 +------------------+ 1757 Figure 21: MonetaryImpact Class 1759 The element content is a positive, floating point number (REAL) 1760 specifying a unit of currency described in the currency attribute. 1762 The MonetaryImpact class has two attributes: 1764 severity 1765 Optional. ENUM. An estimate of the relative severity of the 1766 activity. The permitted values are shown below. There is no 1767 default value. 1769 1. low. Low severity 1771 2. medium. Medium severity 1773 3. high. High severity 1775 currency 1776 Optional. STRING. Defines the currency in which the monetary 1777 impact is expressed. The permitted values are defined in "Codes 1778 for the representation of currencies and funds" of [ISO4217]. 1779 There is no default value. 1781 3.13.5. Confidence Class 1783 The Confidence class represents a best estimate of the validity and 1784 accuracy of the described impact (see Section 3.13) of the incident 1785 activity. This estimate can be expressed as a category or a numeric 1786 calculation. 1788 This class if based upon [RFC4765]. 1790 +------------------+ 1791 | Confidence | 1792 +------------------+ 1793 | REAL | 1794 | | 1795 | ENUM rating | 1796 +------------------+ 1798 Figure 22: Confidence Class 1800 The element content expresses a numerical assessment in the 1801 confidence of the data when the value of the rating attribute is 1802 "numeric". Otherwise, this element MUST be empty. 1804 The Confidence class has one attribute. 1806 rating 1807 Required. ENUM. A rating of the analytical validity of the 1808 specified Assessment. The permitted values are shown below. 1809 There is no default value. 1811 1. low. Low confidence in the validity. 1813 2. medium. Medium confidence in the validity. 1815 3. high. High confidence in the validity. 1817 4. numeric. The element content contains a number that conveys 1818 the confidence of the data. The semantics of this number 1819 outside the scope of this specification. 1821 5. unknown. The confidence rating value is not known. 1823 3.14. History Class 1825 The History class is a log of the significant events or actions 1826 performed by the involved parties during the course of handling the 1827 incident. 1829 The level of detail maintained in this log is left up to the 1830 discretion of those handling the incident. 1832 +------------------+ 1833 | History | 1834 +------------------+ 1835 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 1836 | | 1837 +------------------+ 1839 Figure 23: The History Class 1841 The class that constitutes History is: 1843 HistoryItem 1844 One or many. Entry in the history log of significant events or 1845 actions performed by the involved parties. 1847 The History class has one attribute: 1849 restriction 1850 Optional. ENUM. This attribute is defined in Section 3.2. The 1851 default value is "default". 1853 3.14.1. HistoryItem Class 1855 The HistoryItem class is an entry in the History (Section 3.14) log 1856 that documents a particular action or event that occurred in the 1857 course of handling the incident. The details of the entry are a 1858 free-form description, but each can be categorized with the type 1859 attribute. 1861 +-------------------------+ 1862 | HistoryItem | 1863 +-------------------------+ 1864 | ENUM restriction |<>----------[ DateTime ] 1865 | ENUM action |<>--{0..1}--[ IncidentId ] 1866 | STRING ext-action |<>--{0..1}--[ Contact ] 1867 | STRING indicator-uid |<>--{0..*}--[ Description ] 1868 | STRING indicator-set-id |<>--{0..*}--[ AdditionalData ] 1869 +-------------------------+ 1871 Figure 24: HistoryItem Class 1873 The aggregate classes that constitute HistoryItem are: 1875 DateTime 1876 One. Timestamp of this entry in the history log (e.g., when the 1877 action described in the Description was taken). 1879 IncidentID 1880 Zero or One. In a history log created by multiple parties, the 1881 IncidentID provides a mechanism to specify which CSIRT created a 1882 particular entry and references this organization's incident 1883 tracking number. When a single organization is maintaining the 1884 log, this class can be ignored. 1886 Contact 1887 Zero or One. Provides contact information for the person that 1888 performed the action documented in this class. 1890 Description 1891 Zero or many. ML_STRING. A free-form textual description of the 1892 action or event. 1894 DefinedCOA 1895 Zero or many. ML_STRING. A unique identifier meaningful to the 1896 sender and recipient of this document that references a course of 1897 action. This class MUST be present if the action attribute is set 1898 to "defined-coa". 1900 AdditionalData 1901 Zero or many. A mechanism by which to extend the data model. 1903 The HistoryItem class has five attributes: 1905 restriction 1906 Optional. ENUM. See Section 3.3.1. 1908 action 1909 Required. ENUM. Classifies a performed action or occurrence 1910 documented in this history log entry. As activity will likely 1911 have been instigated either through a previously conveyed 1912 expectation or internal investigation, this attribute is identical 1913 to the category attribute of the Expectation class. The 1914 difference is only one of tense. When an action is in this class, 1915 it has been completed. See Section 3.16. 1917 ext-action 1918 Optional. STRING. A means by which to extend the action 1919 attribute. See Section 5.1. 1921 indicator-uid 1922 Optional. STRING. See Section 3.3.2. 1924 indicator-set-id 1925 Optional. STRING. See Section 3.3.2. 1927 3.15. EventData Class 1929 The EventData class describes a particular event of the incident for 1930 a given set of hosts or networks. This description includes the 1931 systems from which the activity originated and those targeted, an 1932 assessment of the techniques used by the intruder, the impact of the 1933 activity on the organization, and any forensic evidence discovered. 1935 +-------------------------+ 1936 | EventData | 1937 +-------------------------+ 1938 | ENUM restriction |<>--{0..*}--[ Description ] 1939 | STRING indicator-uid |<>--{0..1}--[ DetectTime ] 1940 | STRING indicator-set-id |<>--{0..1}--[ StartTime ] 1941 | |<>--{0..1}--[ EndTime ] 1942 | |<>--{0..*}--[ Contact ] 1943 | |<>--{0..1}--[ Assessment ] 1944 | |<>--{0..*}--[ Method ] 1945 | |<>--{0..*}--[ Flow ] 1946 | |<>--{0..*}--[ Expectation ] 1947 | |<>--{0..1}--[ Record ] 1948 | |<>--{0..*}--[ EventData ] 1949 | |<>--{0..*}--[ AdditionalData ] 1950 +-------------------------+ 1952 Figure 25: The EventData Class 1954 The aggregate classes that constitute EventData are: 1956 Description 1957 Zero or more. ML_STRING. A free-form textual description of the 1958 event. 1960 DetectTime 1961 Zero or one. The time the event was detected. 1963 StartTime 1964 Zero or one. The time the event started. 1966 EndTime 1967 Zero or one. The time the event ended. 1969 Contact 1970 Zero or more. Contact information for the parties involved in the 1971 event. 1973 Assessment 1974 Zero or one. The impact of the event on the target and the 1975 actions taken. 1977 Method 1978 Zero or more. The technique used by the intruder in the event. 1980 Flow 1981 Zero or more. A description of the systems or networks involved. 1983 Expectation 1984 Zero or more. The expected action to be performed by the 1985 recipient for the described event. 1987 Record 1988 Zero or one. Supportive data (e.g., log files) that provides 1989 additional information about the event. 1991 EventData 1992 Zero or more. EventData instances contained within another 1993 EventData instance inherit the values of the parent(s); this 1994 recursive definition can be used to group common data pertaining 1995 to multiple events. When EventData elements are defined 1996 recursively, only the leaf instances (those EventData instances 1997 not containing other EventData instances) represent actual events. 1999 AdditionalData 2000 Zero or more. An extension mechanism for data not explicitly 2001 represented in the data model. 2003 At least one of the aggregate classes MUST be present in an instance 2004 of the EventData class. This is not enforced in the IODEF schema as 2005 there is no simple way to accomplish it. 2007 The EventData class has two attributes: 2009 restriction 2010 Optional. ENUM. This attribute is defined in Section 3.2. The 2011 default value is "default". 2013 indicator-uid 2014 Optional. STRING. See Section 3.3.2. 2016 indicator-set-id 2017 Optional. STRING. See Section 3.3.2. 2019 3.15.1. Relating the Incident and EventData Classes 2021 There is substantial overlap in the Incident and EventData classes. 2022 Nevertheless, the semantics of these classes are quite different. 2023 The Incident class provides summary information about the entire 2024 incident, while the EventData class provides information about the 2025 individual events comprising the incident. In the most common case, 2026 the EventData class will provide more specific information for the 2027 general description provided in the Incident class. However, it may 2028 also be possible that the overall summarized information about the 2029 incident conflicts with some individual information in an EventData 2030 class when there is a substantial composition of various events in 2031 the incident. In such a case, the interpretation of the more 2032 specific EventData MUST supersede the more generic information 2033 provided in Incident. 2035 3.15.2. Cardinality of EventData 2037 The EventData class can be thought of as a container for the 2038 properties of an event in an incident. These properties include: the 2039 hosts involved, impact of the incident activity on the hosts, 2040 forensic logs, etc. With an instance of the EventData class, hosts 2041 (i.e., System class) are grouped around these common properties. 2043 The recursive definition (or instance property inheritance) of the 2044 EventData class (the EventData class is aggregated into the EventData 2045 class) provides a way to relate information without requiring the 2046 explicit use of unique attribute identifiers in the classes or 2047 duplicating information. Instead, the relative depth (nesting) of a 2048 class is used to group (relate) information. 2050 For example, an EventData class might be used to describe two 2051 machines involved in an incident. This description can be achieved 2052 using multiple instances of the Flow class. It happens that there is 2053 a common technical contact (i.e., Contact class) for these two 2054 machines, but the impact (i.e., Assessment class) on them is 2055 different. A depiction of the representation for this situation can 2056 be found in Figure 26. 2058 +------------------+ 2059 | EventData | 2060 +------------------+ 2061 | |<>----[ Contact ] 2062 | | 2063 | |<>----[ EventData ]<>----[ Flow ] 2064 | | [ ]<>----[ Assessment ] 2065 | | 2066 | |<>----[ EventData ]<>----[ Flow ] 2067 | | [ ]<>----[ Assessment ] 2068 +------------------+ 2070 Figure 26: Recursion in the EventData Class 2072 3.16. Expectation Class 2074 The Expectation class conveys to the recipient of the IODEF document 2075 the actions the sender is requesting. The scope of the requested 2076 action is limited to purview of the EventData class in which this 2077 class is aggregated. 2079 +-------------------------+ 2080 | Expectation | 2081 +-------------------------+ 2082 | ENUM restriction |<>--{0..*}--[ Description ] 2083 | ENUM severity |<>--{0..*}--[ DefinedCOA ] 2084 | ENUM action |<>--{0..1}--[ StartTime ] 2085 | STRING ext-action |<>--{0..1}--[ EndTime ] 2086 | STRING indicator-uid |<>--{0..1}--[ Contact ] 2087 | STRING indicator-set-id | 2088 +-------------------------+ 2090 Figure 27: The Expectation Class 2092 The aggregate classes that constitute Expectation are: 2094 Description 2095 Zero or many. ML_STRING. A free-form description of the desired 2096 action(s). 2098 DefinedCOA 2099 Zero or many. ML_STRING. A unique identifier meaningful to the 2100 sender and recipient of this document that references a course of 2101 action. This class MUST be present if the action attribute is set 2102 to "defined-coa". 2104 StartTime 2105 Zero or one. The time at which the sender would like the action 2106 performed. A timestamp that is earlier than the ReportTime 2107 specified in the Incident class denotes that the sender would like 2108 the action performed as soon as possible. The absence of this 2109 element indicates no expectations of when the recipient would like 2110 the action performed. 2112 EndTime 2113 Zero or one. The time by which the sender expects the recipient 2114 to complete the action. If the recipient cannot complete the 2115 action before EndTime, the recipient MUST NOT carry out the 2116 action. Because of transit delays, clock drift, and so on, the 2117 sender MUST be prepared for the recipient to have carried out the 2118 action, even if it completes past EndTime. 2120 Contact 2121 Zero or one. The expected actor for the action. 2123 The Expectations class has six attributes: 2125 restriction 2126 Optional. ENUM. This attribute is defined in Section 3.2. The 2127 default value is "default". 2129 severity 2130 Optional. ENUM. Indicates the desired priority of the action. 2131 This attribute is an enumerated list with no default value, and 2132 the semantics of these relative measures are context dependent. 2134 1. low. Low priority 2136 2. medium. Medium priority 2138 3. high. High priority 2140 action 2141 Optional. ENUM. Classifies the type of action requested. This 2142 attribute is an enumerated list with a default value of "other". 2144 1. nothing. No action is requested. Do nothing with the 2145 information. 2147 2. contact-source-site. Contact the site(s) identified as the 2148 source of the activity. 2150 3. contact-target-site. Contact the site(s) identified as the 2151 target of the activity. 2153 4. contact-sender. Contact the originator of the document. 2155 5. investigate. Investigate the systems(s) listed in the event. 2157 6. block-host. Block traffic from the machine(s) listed as 2158 sources the event. 2160 7. block-network. Block traffic from the network(s) lists as 2161 sources in the event. 2163 8. block-port. Block the port listed as sources in the event. 2165 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2166 listed as sources in the event. 2168 10. rate-limit-network. Rate-limit the traffic from the 2169 network(s) lists as sources in the event. 2171 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2172 the event. 2174 12. remediate-other. Remediate the activity in a way other than 2175 by rate limiting or blocking. 2177 13. status-triage. Conveys receipts and the triaging of an 2178 incident. 2180 14. status-new-info. Conveys that new information was received 2181 for this incident. 2183 15. watch-and-report. Watch for the described activity and share 2184 if seen. 2186 16. defined-coa. Perform a predefined course of action (COA). 2187 The COA is named in the DefinedCOA class. 2189 17. other. Perform some custom action described in the 2190 Description class. 2192 18. ext-value. An escape value used to extend this attribute. 2193 See Section 5.1. 2195 ext-action 2196 Optional. STRING. A means by which to extend the action 2197 attribute. See Section 5.1. 2199 indicator-uid 2200 Optional. STRING. See Section 3.3.2. 2202 indicator-set-id 2203 Optional. STRING. See Section 3.3.2. 2205 3.17. Flow Class 2207 The Flow class groups related the source and target hosts. 2209 +------------------+ 2210 | Flow | 2211 +------------------+ 2212 | |<>--{1..*}--[ System ] 2213 +------------------+ 2215 Figure 28: The Flow Class 2217 The aggregate class that constitutes Flow is: 2219 System 2220 One or More. A host or network involved in an event. 2222 The Flow class has no attributes. 2224 3.18. System Class 2226 The System class describes a system or network involved in an event. 2227 The systems or networks represented by this class are categorized 2228 according to the role they played in the incident through the 2229 category attribute. The value of this category attribute dictates 2230 the semantics of the aggregated classes in the System class. If the 2231 category attribute has a value of "source", then the aggregated 2232 classes denote the machine and service from which the activity is 2233 originating. With a category attribute value of "target" or 2234 "intermediary", then the machine or service is the one targeted in 2235 the activity. A value of "sensor" dictates that this System was part 2236 of an instrumentation to monitor the network. 2238 +---------------------+ 2239 | System | 2240 +---------------------+ 2241 | ENUM restriction |<>----------[ Node ] 2242 | ENUM category |<>--{0..*}--[ Service ] 2243 | STRING ext-category |<>--{0..*}--[ OperatingSystem ] 2244 | STRING interface |<>--{0..*}--[ Counter ] 2245 | ENUM spoofed |<>--{0..*}--[ AssetID ] 2246 | ENUM virtual |<>--{0..*}--[ Description ] 2247 | ENUM ownership |<>--{0..*}--[ AdditionalData ] 2248 | ENUM ext-ownership | 2249 +---------------------+ 2251 Figure 29: The System Class 2253 The aggregate classes that constitute System are: 2255 Node 2256 One. A host or network involved in the incident. 2258 Service 2259 Zero or more. A network service running on the system. 2261 OperatingSystem 2262 Zero or more. The operating system running on the system. 2264 Counter 2265 Zero or more. A counter with which to summarize properties of 2266 this host or network. 2268 AssetID 2269 Zero or more. An asset identifier for the System. 2271 Description 2272 Zero or more. ML_STRING. A free-form text description of the 2273 System. 2275 AdditionalData 2276 Zero or more. A mechanism by which to extend the data model. 2278 The System class has eight attributes: 2280 restriction 2281 Optional. ENUM. This attribute is defined in Section 3.2. 2283 category 2284 Optional. ENUM. Classifies the role the host or network played 2285 in the incident. The possible values are: 2287 1. source. The System was the source of the event. 2289 2. target. The System was the target of the event. 2291 3. watchlist-source. The source of the event was on a watchlist. 2293 4. watchlist-target. The target of the event was on a watchlist. 2295 5. intermediate. The System was an intermediary in the event. 2297 6. sensor. The System was a sensor monitoring the event. 2299 7. infrastructure. The System was an infrastructure node of 2300 IODEF document exchange. 2302 8. ext-value. An escape value used to extend this attribute. 2303 See Section 5.1. 2305 ext-category 2306 Optional. STRING. A means by which to extend the category 2307 attribute. See Section 5.1. 2309 indicator-set-id 2310 Optional. STRING. See Section 3.3.2. 2312 interface 2313 Optional. STRING. Specifies the interface on which the event(s) 2314 on this System originated. If the Node class specifies a network 2315 rather than a host, this attribute has no meaning. 2317 spoofed 2318 Optional. ENUM. An indication of confidence in whether this 2319 System was the true target or attacking host. The permitted 2320 values for this attribute are shown below. The default value is 2321 "unknown". 2323 1. unknown. The accuracy of the category attribute value is 2324 unknown. 2326 2. yes. The category attribute value is probably incorrect. In 2327 the case of a source, the System is likely a decoy; with a 2328 target, the System was likely not the intended victim. 2330 3. no. The category attribute value is believed to be correct. 2332 virtual 2333 Optional. ENUM. Indicates whether this System is a virtual or 2334 physical device. The default value is "unknown". The possible 2335 values are: 2337 1. yes. The System is a virtual device. 2339 2. no. The System is a physical device. 2341 3. unknown. It is not known if the System is virtual. 2343 ownership 2344 Optional. ENUM. Describes the ownership of this System relative 2345 to the sender of the IODEF document. The possible values are: 2347 1. organization. The System is owned by the organization. 2349 2. personal. The System is owned by employee or affiliate of the 2350 organization. 2352 3. partner. The System is owned by a partner of the 2353 organization. 2355 4. customer. The System is owned by a customer of the 2356 organization. 2358 5. no-relationship. The System is owned by an entity that has no 2359 known relationship with the organization. 2361 6. unknown. The ownership of the System is unknown. 2363 7. ext-value. An escape value used to extend this attribute. 2364 See Section 5.1. 2366 ext-ownership 2367 Optional. STRING. A means by which to extend the ownership 2368 attribute. See Section 5.1. 2370 3.19. Node Class 2372 The Node class names an asset or network. 2374 This class was derived from [RFC4765]. 2376 +---------------+ 2377 | Node | 2378 +---------------+ 2379 | |<>--{0..*}--[ NodeName ] 2380 | |<>--{0..*}--[ DomainData ] 2381 | |<>--{0..*}--[ Address ] 2382 | |<>--{0..1}--[ PostalAddress ] 2383 | |<>--{0..1}--[ Location ] 2384 | |<>--{0..1}--[ DateTime ] 2385 | |<>--{0..*}--[ NodeRole ] 2386 | |<>--{0..*}--[ Counter ] 2387 +---------------+ 2389 Figure 30: The Node Class 2391 The aggregate classes that constitute Node are: 2393 NodeName 2394 Zero or more. ML_STRING. The name of the Node (e.g., fully 2395 qualified domain name). This information MUST be provided if no 2396 Address or DomainData information is given. 2398 DomainData 2399 Zero or more. The detailed domain (DNS) information associated 2400 with this Node. 2402 Address 2403 Zero or more. The hardware, network, or application address of 2404 the Node. If a NodeName or DomainData is not provided, at least 2405 one Address MUST be specified. 2407 PostalAddress 2408 Zero or one. The postal address of the asset. 2410 Location 2411 Zero or one. ML_STRING. A free-from description of the physical 2412 location of the Node. This description may provide a more 2413 detailed description of where in the PostalAddress this Node is 2414 found (e.g., room number, rack number, slot number in a chassis). 2416 DateTime 2417 Zero or one. A timestamp of when the resolution between the name 2418 and address was performed. This information MAY be provided if 2419 both an Address and NodeName are specified. 2421 NodeRole 2422 Zero or more. The intended purpose of the Node. 2424 Counter 2425 Zero or more. A counter with which to summarizes properties of 2426 this host or network. 2428 The Node class has no attributes. 2430 3.19.1. Address Class 2432 The Address class represents a hardware (layer-2), network (layer-3), 2433 or application (layer-7) address. 2435 This class was derived from [RFC4765]. 2437 +-------------------------+ 2438 | Address | 2439 +-------------------------+ 2440 | ENUM category | 2441 | STRING ext-category | 2442 | STRING vlan-name | 2443 | INTEGER vlan-num | 2444 | STRING indicator-uid | 2445 | STRING indicator-set-id | 2446 +-------------------------+ 2448 Figure 31: The Address Class 2450 The Address class has five attributes: 2452 category 2453 Optional. ENUM. The type of address represented. The permitted 2454 values for this attribute are shown below. The default value is 2455 "ipv4-addr". 2457 1. asn. Autonomous System Number 2459 2. atm. Asynchronous Transfer Mode (ATM) address 2461 3. e-mail. Electronic mail address (RFC 822) 2463 4. ipv4-addr. IPv4 host address in dotted-decimal notation 2464 (a.b.c.d) 2466 5. ipv4-net. IPv4 network address in dotted-decimal notation, 2467 slash, significant bits (a.b.c.d/nn) 2469 6. ipv4-net-mask. IPv4 network address in dotted-decimal 2470 notation, slash, network mask in dotted-decimal notation 2471 (a.b.c.d/w.x.y.z) 2473 7. ipv6-addr. IPv6 host address 2475 8. ipv6-net. IPv6 network address, slash, significant bits 2477 9. ipv6-net-mask. IPv6 network address, slash, network mask 2479 10. mac. Media Access Control (MAC) address 2481 11. site-uri. A URL or URI for a resource. 2483 12. ext-value. An escape value used to extend this attribute. 2484 See Section 5.1. 2486 ext-category 2487 Optional. STRING. A means by which to extend the category 2488 attribute. See Section 5.1. 2490 vlan-name 2491 Optional. STRING. The name of the Virtual LAN to which the 2492 address belongs. 2494 vlan-num 2495 Optional. STRING. The number of the Virtual LAN to which the 2496 address belongs. 2498 indicator-uid 2499 Optional. STRING. See Section 3.3.2. 2501 indicator-set-id 2502 Optional. STRING. See Section 3.3.2. 2504 3.19.2. NodeRole Class 2506 The NodeRole class describes the intended function performed by a 2507 particular host. 2509 +---------------------+ 2510 | NodeRole | 2511 +---------------------+ 2512 | ENUM category | 2513 | STRING ext-category | 2514 | ENUM lang | 2515 +---------------------+ 2517 Figure 32: The NodeRole Class 2519 The NodeRole class has three attributes: 2521 category 2522 Required. ENUM. Functionality provided by a node. 2524 1. client. Client computer 2526 2. client-enterprise. Client computer on the enterprise network 2528 3. client-partner. Client computer on network of a partner 2530 4. client-remote. Client computer remotely connected to the 2531 enterprise network 2533 5. client-kiosk. Client computer is serves as a kiosk 2535 6. client-mobile. Client is a mobile device 2537 7. server-internal. Server with internal services 2539 8. server-public. Server with public services 2541 9. www. WWW server 2543 10. mail. Mail server 2545 11. messaging. Messaging server (e.g., NNTP, IRC, IM) 2547 12. streaming. Streaming-media server 2549 13. voice. Voice server (e.g., SIP, H.323) 2551 14. file. File server (e.g., SMB, CVS, AFS) 2553 15. ftp. FTP server 2555 16. p2p. Peer-to-peer node 2557 17. name. Name server (e.g., DNS, WINS) 2559 18. directory. Directory server (e.g., LDAP, finger, whois) 2561 19. credential. Credential server (e.g., domain controller, 2562 Kerberos) 2564 20. print. Print server 2566 21. application. Application server 2568 22. database. Database server 2569 23. backup. Backup server 2571 24. dhcp. DHCP server 2573 25. infra. Infrastructure server (e.g., router, firewall, DHCP) 2575 26. infra-firewall. Firewall 2577 27. infra-router. Router 2579 28. infra-switch. Switch 2581 29. camera. Camera server 2583 30. proxy. Proxy server 2585 31. remote-access. Remote access server 2587 32. log. Log server (e.g., syslog) 2589 33. virtualization. Server running virtual machines 2591 34. pos. Point-of-sale device 2593 35. scada. Supervisory control and data acquisition system 2595 36. scada-supervisory. Supervisory system for a SCADA 2597 37. ext-value. An escape value used to extend this attribute. 2598 See Section 5.1. 2600 ext-category 2601 Optional. STRING. A means by which to extend the category 2602 attribute. See Section 5.1. 2604 lang 2605 Optional. ENUM. A valid language code per [RFC4646] constrained 2606 by the definition of "xs:language". The interpretation of this 2607 code is described in Section 6. 2609 3.19.3. Counter Class 2611 The Counter class summarize multiple occurrences of some event, or 2612 conveys counts or rates on various features (e.g., packets, sessions, 2613 events). 2615 The value of the counter is the element content with its units 2616 represented in the type attribute. A rate for a given feature can be 2617 expressed by setting the duration attribute. The complete semantics 2618 are entirely context dependent based on the class in which the 2619 Counter is aggregated. 2621 +---------------------+ 2622 | Counter | 2623 +---------------------+ 2624 | REAL | 2625 | | 2626 | ENUM type | 2627 | STRING ext-type | 2628 | STRING meaning | 2629 | ENUM duration | 2630 | STRING ext-duration | 2631 +---------------------+ 2633 Figure 33: The Counter Class 2635 The Counter class has five attribute: 2637 type 2638 Required. ENUM. Specifies the units of the element content. 2640 1. byte. Count of bytes. 2642 2. packet. Count of packets. 2644 3. flow. Count of flow (e.g., NetFlow records). 2646 4. session. Count of sessions. 2648 5. alert. Count of notifications generated by another system 2649 (e.g., IDS or SIM). 2651 6. message. Count of messages (e.g., mail messages). 2653 7. event. Count of events. 2655 8. host. Count of hosts. 2657 9. site. Count of site. 2659 10. organization. Count of organizations. 2661 11. ext-value. An escape value used to extend this attribute. 2662 See Section 5.1. 2664 ext-type 2665 Optional. STRING. A means by which to extend the type attribute. 2666 See Section 5.1. 2668 meaning 2669 Optional. STRING. A free-form description of the metric 2670 represented by the Counter. 2672 duration 2673 Optional. ENUM. If present, the Counter class represents a rate 2674 rather than a count over the entire event. In that case, this 2675 attribute specifies the denominator of the rate (where the type 2676 attribute specified the nominator). The possible values of this 2677 attribute are defined in Section 3.13.3 2679 ext-duration 2680 Optional. STRING. A means by which to extend the duration 2681 attribute. See Section 5.1. 2683 3.20. DomainData Class 2685 ...TODO... 2687 +--------------------------+ 2688 | DomainData | 2689 +--------------------------+ 2690 | ENUM system-status |<>----------[ Name ] 2691 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] 2692 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 2693 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] 2694 | STRING indicator-uid |<>--{0..*}--[ RelatedDNS ] 2695 | STRING indicator-set-id |<>--{0..*}--[ Nameservers ] 2696 | |<>--{0..1}--[ DomainContacts ] 2697 | | 2698 +--------------------------+ 2700 Figure 34: The DomainData Class 2702 The aggregate classes that constitute DomainData are: 2704 Name 2705 One. ML_STRING. The domain name of the Node (e.g., fully 2706 qualified domain name). 2708 DateDomainWasChecked 2709 Zero or one. DATETIME. A timestamp of when the Name was 2710 resolved. 2712 RegistrationDate 2713 Zero or one. DATETIME. A timestamp of when domain listed in Name 2714 was registered. 2716 ExpirationDate 2717 Zero or one. DATETIME. A timestamp of when the domain listed in 2718 Name is set to expire. 2720 RelatedDNS 2721 Zero or more. ...TODO... 2723 Nameservers 2724 Zero or more. The name servers identified for the domain listed 2725 in Name. 2727 DomainContacts 2728 Zero or one. Contact information for the domain listed in Name 2729 supplied by the registrar or through a whois query. 2731 The DomainData class has six attribute: 2733 system-status 2734 Required. ENUM. Assesses the domain's involvement in the event. 2736 1. spoofed. This domain was spoofed. 2738 2. fraudulent. This domain was operated with fraudulent 2739 intentions. 2741 3. innocent-hacked. This domain was compromised by a third 2742 party. 2744 4. innocent-hijacked. This domain was deliberately hijacked. 2746 5. unknown. No categorization for this domain known. 2748 6. ext-value. An escape value used to extend this attribute. 2749 See Section 5.1. 2751 ext-system-status 2752 Optional. STRING. A means by which to extend the system-status 2753 attribute. See Section 5.1. 2755 domain-status 2756 Required. ENUM. Categorizes the registry status of the domain at 2757 the time the document was generated. These values and their 2758 associated descriptions are derived from Section 3.2.2 of 2759 [RFC3982]. 2761 1. reservedDelegation. The domain is permanently inactive. 2763 2. assignedAndActive. The domain is in a normal state. 2765 3. assignedAndInactive. The domain has an assigned registration 2766 but the delegation is inactive. 2768 4. assignedAndOnHold. The domain is under dispute. 2770 5. revoked. The domain is in the process of being purged from 2771 the database. 2773 6. transferPending. The domain is pending a change in 2774 authority. 2776 7. registryLock. The domain is on hold by the registry. 2778 8. registrarLock. Same as "registryLock". 2780 9. other. ... TODO -- RFC 5901 has this but doesn't describe it 2781 ... 2783 10. unknown. The domain has an unknown status. 2785 11. ext-value. An escape value used to extend this attribute. 2786 See Section 5.1. 2788 ext-domain-status 2789 Optional. STRING. A means by which to extend the system-status 2790 attribute. See Section 5.1. 2792 indicator-uid 2793 Optional. STRING. See Section 3.3.2. 2795 indicator-set-id 2796 Optional. STRING. See Section 3.3.2. 2798 3.20.1. RelatedDNS 2800 ...TODO... 2802 +----------------------+ 2803 | RelatedDNS | 2804 +----------------------+ 2805 | STRING | 2806 | | 2807 | ENUM record-type | 2808 | ENUM ext-record-type | 2809 +----------------------+ 2811 Figure 35: The RelatedDNS Class 2813 3.20.2. Nameservers Class 2815 The Nameservers class describes the name servers associated with a 2816 given domain. 2818 +--------------------+ 2819 | Nameservers | 2820 +--------------------+ 2821 | |<>----------[ Server ] 2822 | |<>--{1..*}--[ Address ] 2823 +--------------------+ 2825 Figure 36: The Nameservers Class 2827 The aggregate classes that constitute Nameservers are: 2829 Server 2830 One. ML_STRING. The domain name of the name server. 2832 Address 2833 One or more. The address of the name server. See Section 3.19.1. 2835 3.20.3. DomainContacts Class 2837 The DomainContacts class describes the contact information for a 2838 given domain provided either by the registrar or through a whois 2839 query. 2841 This contact information can be explicitly described through a 2842 Contact class or a reference can be provided to a domain with 2843 identical contact information. Either a single SameDomainContact 2844 MUST be present or one or many Contact classes. 2846 +--------------------+ 2847 | DomainContacts | 2848 +--------------------+ 2849 | |<>--{0..1}--[ SameDomainContact ] 2850 | |<>--{1..*}--[ Contact ] 2851 +--------------------+ 2853 Figure 37: The DomainContacts Class 2855 The aggregate classes that constitute DomainContacts are: 2857 SameDomainContact 2858 Zero or one. ML_STRING. A domain name already cited in this 2859 document or through previous exchange that contains the identical 2860 contact information as the domain name in question. The domain 2861 contact information associated with this domain should be used in 2862 liue of explicit definition with the Contact class. 2864 Contact 2865 One or more. Contact information for the domain. See 2866 Section 3.10. 2868 3.21. Service Class 2870 The Service class describes a network service of a host or network. 2871 The service is identified by specific port or list of ports, along 2872 with the application listening on that port. 2874 When Service occurs as an aggregate class of a System that is a 2875 source, then this service is the one from which activity of interest 2876 is originating. Conversely, when Service occurs as an aggregate 2877 class of a System that is a target, then that service is the one to 2878 which activity of interest is directed. 2880 This class was derived from [RFC4765]. 2882 +-------------------------+ 2883 | Service | 2884 +-------------------------+ 2885 | INTEGER ip_protocol |<>--{0..1}--[ Port ] 2886 | STRING indicator-uid |<>--{0..1}--[ Portlist ] 2887 | STRING indicator-set-id |<>--{0..1}--[ ProtoCode ] 2888 | |<>--{0..1}--[ ProtoType ] 2889 | |<>--{0..1}--[ ProtoField ] 2890 | |<>--{0..*}--[ ApplicationHeader ] 2891 | |<>--{0..1}--[ EmailData ] 2892 | |<>--{0..1}--[ Application ] 2893 +-------------------------+ 2895 Figure 38: The Service Class 2897 The aggregate classes that constitute Service are: 2899 Port 2900 Zero or one. INTEGER. A port number. 2902 Portlist 2903 Zero or one. PORTLIST. A list of port numbers formatted 2904 according to Section 2.10. 2906 ProtoCode 2907 Zero or one. INTEGER. A transport layer (layer 4) protocol- 2908 specific code field (e.g., ICMP code field). 2910 ProtoType 2911 Zero or one. INTEGER. A transport layer (layer 4) protocol 2912 specific type field (e.g., ICMP type field). 2914 ProtoField 2915 Zero or one. INTEGER. A transport layer (layer 4) protocol 2916 specific flag field (e.g., TCP flag field). 2918 ApplicationHeader 2919 Zero or many. An application layer (layer 7) protocol header. 2920 See Section 3.21.1. 2922 EmailData 2923 Zero or one. Headers associated with an email. See Section 3.23. 2925 Application 2926 Zero or one. The application bound to the specified Port or 2927 Portlist. See Section 3.21.2. 2929 Either a Port or Portlist class MUST be specified for a given 2930 instance of a Service class. 2932 When a given System classes with category="source" and another with 2933 category="target" are aggregated into a single Flow class, and each 2934 of these System classes has a Service and Portlist class, an implicit 2935 relationship between these Portlists exists. If N ports are listed 2936 for a System@category="source", and M ports are listed for 2937 System@category="target", the number of ports in N must be equal to 2938 M. Likewise, the ports MUST be listed in an identical sequence such 2939 that the n-th port in the source corresponds to the n-th port of the 2940 target. If N is greater than 1, a given instance of a Flow class 2941 MUST only have a single instance of a System@category="source" and 2942 System@category="target". 2944 The Service class has three attributes: 2946 ip_protocol 2947 Required. INTEGER. The IANA assigned IP protocol number per 2948 [IANA.Protocols]. 2950 indicator-uid 2951 Optional. STRING. See Section 3.3.2. 2953 indicator-set-id 2954 Optional. STRING. See Section 3.3.2. 2956 3.21.1. ApplicationHeader Class 2958 The ApplicationHeader class allows the representation of arbitrary 2959 fields from an application layer protocol header and its 2960 corresponding value. 2962 +--------------------------+ 2963 | ApplicationHeader | 2964 +--------------------------+ 2965 | ANY | 2966 | | 2967 | INTEGER proto | 2968 | STRING field | 2969 | ENUM dtype | 2970 | STRING indicator-uid | 2971 | STRING indicator-set-uid | 2972 +--------------------------+ 2974 Figure 39: The ApplicationHeader Class 2976 The ApplicationHeader class has five attributes: 2978 proto 2979 Required. INTEGER. The IANA assigned port number per 2980 [IANA.Ports] corresponding to the application layer protocol whose 2981 field will be represented. 2983 field 2984 Required. STRING. The name of the protocol field whose value 2985 will be found in the element body. 2987 dtype 2988 Required. ENUM. The data type of the element content. The 2989 permitted values for this attribute are shown below. The default 2990 value is "string". 2992 1. boolean. The element content is of type BOOLEAN. 2994 2. byte. The element content is of type BYTE. 2996 3. bytes. The element content is of type HEXBIN. 2998 4. character. The element content is of type CHARACTER. 3000 5. date-time. The element content is of type DATETIME. 3002 6. integer. The element content is of type INTEGER. 3004 7. portlist. The element content is of type PORTLIST. 3006 8. real. The element content is of type REAL. 3008 9. string. The element content is of type STRING. 3010 10. file. The element content is a base64 encoded binary file 3011 encoded as a BYTE[] type. 3013 11. path. The element content is a file-system path encoded as a 3014 STRING type. 3016 12. xml. The element content is XML. See Section 5. 3018 13. ext-value. An escape value used to extend this attribute. 3019 See Section 5.1. 3021 ext-dtype 3022 Optional. STRING. A means by which to extend the dtype 3023 attribute. See Section 5.1. 3025 indicator-uid 3026 Optional. STRING. See Section 3.3.2. 3028 indicator-set-id 3029 Optional. STRING. See Section 3.3.2. 3031 3.21.2. Application Class 3033 The Application class describes an application running on a System 3034 providing a Service. 3036 +--------------------+ 3037 | Application | 3038 +--------------------+ 3039 | STRING swid |<>--{0..1}--[ URL ] 3040 | STRING configid | 3041 | STRING vendor | 3042 | STRING family | 3043 | STRING name | 3044 | STRING version | 3045 | STRING patch | 3046 +--------------------+ 3048 Figure 40: The Application Class 3050 The aggregate class that constitute Application is: 3052 URL 3053 Zero or one. URL. A URL describing the application. 3055 The Application class has seven attributes: 3057 swid 3058 Optional. STRING. An identifier that can be used to reference 3059 this software, where the default value is "0". 3061 configid 3062 Optional. STRING. An identifier that can be used to reference a 3063 particular configuration of this software, where the default value 3064 is "0". 3066 vendor 3067 Optional. STRING. Vendor name of the software. 3069 family 3070 Optional. STRING. Family of the software. 3072 name 3073 Optional. STRING. Name of the software. 3075 version 3076 Optional. STRING. Version of the software. 3078 patch 3079 Optional. STRING. Patch or service pack level of the software. 3081 3.22. OperatingSystem Class 3083 The OperatingSystem class describes the operating system running on a 3084 System. The definition is identical to the Application class 3085 (Section 3.21.2). 3087 3.23. EmailData Class 3089 The EmailData class describes headers from an email message. Common 3090 headers have dedicated classes, but arbitrary headers can also be 3091 described. 3093 +-------------------------+ 3094 | EmailData | 3095 +-------------------------+ 3096 | STRING indicator-uid |<>--{0..1}--[ EmailFrom ] 3097 | STRING indicator-set-id |<>--{0..1}--[ EmailSubject ] 3098 | |<>--{0..1}--[ EmailX-Mailer ] 3099 | |<>--{0..*}--[ EmailHeaderField ] 3100 +-------------------------+ 3102 Figure 41: EmailData Class 3104 The aggregate class that constitutes EmailData are: 3106 EmailFrom 3107 Zero or one. The value of the "From:" header field in an email. 3108 See Section 3.6.2 of [RFC5322]. 3110 EmailSubject 3111 Zero or one. The value of the "Subject:" header field in an 3112 email. See Section 3.6.4 of [RFC5322]. 3114 EmailX-Mailer 3115 Zero or one. The value of the "X-Mailer:" header field in an 3116 email. 3118 EmailHeaderField 3119 Zero or one. The value of an arbitrary header field in the email. 3120 See Section 3.21.1. The attributes of EmailHeaderField MUST be 3121 set as follows: proto="25" and dtype="string". The name of the 3122 email header field MUST be set in the field attribute. 3124 The EmailData class has two attributes: 3126 indicator-uid 3127 Optional. STRING. See Section 3.3.2. 3129 indicator-set-id 3130 Optional. STRING. See Section 3.3.2. 3132 3.24. Record Class 3134 The Record class is a container class for log and audit data that 3135 provides supportive information about the incident. The source of 3136 this data will often be the output of monitoring tools. These logs 3137 substantiate the activity described in the document. 3139 +------------------+ 3140 | Record | 3141 +------------------+ 3142 | ENUM restriction |<>--{1..*}--[ RecordData ] 3143 +------------------+ 3145 Figure 42: Record Class 3147 The aggregate class that constitutes Record is: 3149 RecordData 3150 One or more. Log or audit data generated by a particular type of 3151 sensor. Separate instances of the RecordData class SHOULD be used 3152 for each sensor type. 3154 The Record class has one attribute: 3156 restriction 3157 Optional. ENUM. This attribute has been defined in Section 3.2. 3159 3.24.1. RecordData Class 3161 The RecordData class groups log or audit data from a given sensor 3162 (e.g., IDS, firewall log) and provides a way to annotate the output. 3164 +-------------------------+ 3165 | RecordData | 3166 +-------------------------+ 3167 | ENUM restriction |<>--{0..1}--[ DateTime ] 3168 | STRING indicator-uid |<>--{0..*}--[ Description ] 3169 | STRING indicator-set-id |<>--{0..1}--[ Application ] 3170 | |<>--{0..*}--[ RecordPattern ] 3171 | |<>--{0..*}--[ RecordItem ] 3172 | |<>--{0..1}--[ HashData ] 3173 | |<>--{0..*}--[ WindowsRegistryKeysModified ] 3174 | |<>--{0..*}--[ AdditionalData ] 3175 +-------------------------+ 3177 Figure 43: The RecordData Class 3179 The aggregate classes that constitutes RecordData is: 3181 DateTime 3182 Zero or one. Timestamp of the RecordItem data. 3184 Description 3185 Zero or more. ML_STRING. Free-form textual description of the 3186 provided RecordItem data. At minimum, this description should 3187 convey the significance of the provided RecordItem data. 3189 Application 3190 Zero or one. Information about the sensor used to generate the 3191 RecordItem data. 3193 RecordPattern 3194 Zero or more. A search string to precisely find the relevant data 3195 in a RecordItem. 3197 RecordItem 3198 Zero or more. Log, audit, or forensic data. 3200 HashData 3201 Zero or one. The file name and hash of a file indicator. 3203 WindowsRegistryKeysModified 3204 Zero or more. The registry keys that were modified that are 3205 indicator(s). 3207 AdditionalData 3208 Zero or more. An extension mechanism for data not explicitly 3209 represented in the data model. 3211 The RecordData class has three attribute: 3213 restriction 3214 Optional. ENUM. See Section 3.3.1. 3216 indicator-uid 3217 Optional. STRING. See Section 3.3.2. 3219 indicator-set-id 3220 Optional. STRING. See Section 3.3.2. 3222 3.24.2. RecordPattern Class 3224 The RecordPattern class describes where in the content of the 3225 RecordItem relevant information can be found. It provides a way to 3226 reference subsets of information, identified by a pattern, in a large 3227 log file, audit trail, or forensic data. 3229 +-----------------------+ 3230 | RecordPattern | 3231 +-----------------------+ 3232 | STRING | 3233 | | 3234 | ENUM type | 3235 | STRING ext-type | 3236 | INTEGER offset | 3237 | ENUM offsetunit | 3238 | STRING ext-offsetunit | 3239 | INTEGER instance | 3240 +-----------------------+ 3242 Figure 44: The RecordPattern Class 3244 The specific pattern to search with in the RecordItem is defined in 3245 the body of the element. It is further annotated by six attributes: 3247 type 3248 Required. ENUM. Describes the type of pattern being specified in 3249 the element content. The default is "regex". 3251 1. regex. regular expression, per Appendix F of 3252 [W3C.SCHEMA.DTYPES]. 3254 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3255 type. 3257 3. xpath. XML Path (XPath) [W3C.XPATH] 3259 4. ext-value. An escape value used to extend this attribute. 3260 See Section 5.1. 3262 ext-type 3263 Optional. STRING. A means by which to extend the type attribute. 3264 See Section 5.1. 3266 offset 3267 Optional. INTEGER. Amount of units (determined by the offsetunit 3268 attribute) to seek into the RecordItem data before matching the 3269 pattern. 3271 offsetunit 3272 Optional. ENUM. Describes the units of the offset attribute. 3273 The default is "line". 3275 1. line. Offset is a count of lines. 3277 2. byte. Offset is a count of bytes. 3279 3. ext-value. An escape value used to extend this attribute. 3280 See Section 5.1. 3282 ext-offsetunit 3283 Optional. STRING. A means by which to extend the offsetunit 3284 attribute. See Section 5.1. 3286 instance 3287 Optional. INTEGER. Number of types to apply the specified 3288 pattern. 3290 3.24.3. RecordItem Class 3292 The RecordItem class provides a way to incorporate relevant logs, 3293 audit trails, or forensic data to support the conclusions made during 3294 the course of analyzing the incident. The class supports both the 3295 direct encapsulation of the data, as well as, provides primitives to 3296 reference data stored elsewhere. 3298 This class is identical to AdditionalData class (Section 3.9). 3300 3.25. WindowsRegistryKeysModified Class 3302 The WindowsRegistryKeysModified class describes Windows operating 3303 system registry keys and the operations that were performed on them. 3304 This class was derived from [RFC5901]. 3306 +-----------------------------+ 3307 | WindowsRegistryKeysModified | 3308 +-----------------------------+ 3309 | STRING indicator-uid |<>--{1..*}--[ Key ] 3310 | STRING indicator-set-id | 3311 +-----------------------------+ 3313 Figure 45: The WindowsRegistryKeysModified Class 3315 The aggregate class that constitutes the WindowsRegistryKeysModified 3316 class is: 3318 Key 3319 One or many. The Window registry key. 3321 The WindowsRegistryKeysModified class has two attributes: 3323 indicator-uid 3324 Optional. STRING. See Section 3.3.2. 3326 indicator-set-id 3327 Optional. STRING. See Section 3.3.2. 3329 3.25.1. Key Class 3331 The Key class describes a particular Windows operating system 3332 registry key name and value pair, and the operation performed on it. 3334 +---------------------------+ 3335 | Key | 3336 +---------------------------+ 3337 | ENUM registryaction |<>----------[ KeyName ] 3338 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] 3339 | ENUM type | 3340 | STRING ext-type | 3341 +---------------------------+ 3343 Figure 46: The Key Class 3345 The aggregate classes that constitutes Key are: 3347 KeyName 3348 One. STRING. The name of the Windows operating system registry 3349 key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3351 KeyValue 3352 Zero or one. STRING. The value of the associated registry key 3353 encoded as in Microsoft .reg files [KB310516]. 3355 The Key class has four attributes: 3357 registryaction 3358 Optional. ENUM. The type of action taken on the registry key. 3360 1. add-key. Registry key added. 3362 2. add-value. Value added to registry key. 3364 3. delete-key. Registry key deleted. 3366 4. delete-value. Value deleted from registry key. 3368 5. modify-key. Registry key modified. 3370 6. modify-value. Value modified for registry key. 3372 7. ext-value. External value. 3374 ext-registryaction 3375 Optional. A means by which to extend the registryaction 3376 attribute. See Section 5.1. 3378 type 3379 Optional. TODO. 3381 1. watchlist. Registry key information that is provided in a 3382 watchlist. 3384 2. ext-value. Registry key information from an external source. 3386 ext-type 3387 Optional. A means by which to extend the type attribute. See 3388 Section 5.1. 3390 indicator-uid 3391 Optional. STRING. See Section 3.3.2. 3393 indicator-set-id 3394 Optional. STRING. See Section 3.3.2. 3396 3.26. HashData Class 3398 The HashData class describes files, file hashes, ... TODO ...the hash 3399 and signature details that are needed for providing context for 3400 indicators. 3402 +--------------------------+ 3403 | HashData | 3404 +--------------------------+ 3405 | ENUM type |<>--{0..*}--[ FileName ] 3406 | STRING ext-type |<>--{0..*}--[ FileSize ] 3407 | BOOL valid |<>--{0..*}--[ ds:Signature ] 3408 | STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ] 3409 | STRING indicator-set-id |<>--{0..*}--[ ds:Reference ] 3410 | |<>--{0..*}--[ AdditionalData ] 3411 +--------------------------+ 3413 Figure 47: The HashData Class 3415 The aggregate classes that constitutes HashData are: 3417 FileName 3418 Zero or more. ML_STRING. The name of the file. 3420 FileSize 3421 Zero or more. INTEGER. The size of the file in bytes. 3423 ds:Signature 3424 Zero or more. 3426 ds:KeyInfo 3427 Zero or more. 3429 ds:Reference 3430 Zero or more. The algorithm identification and value of a hash 3431 computed over a file. This element is defined in [RFC3275]. 3432 Refer to RFC 5901. 3434 AdditionalData 3435 Zero or more. Mechanism by which to extend the data model. See 3436 Section 3.9 3438 The HashData class has five attributes: 3440 type 3441 Optional. ENUM. The Hash Type. 3443 1. PKI-email-ds. PKI email digital signature. 3445 2. PKI-file-ds. PKI file digital signature. 3447 3. PKI-email-ds_watchlist. Watchlist of PKI email digital 3448 signatures. 3450 4. PKI-file-ds_watchlist. Watchlist of PKI file digital 3451 signatures. 3453 5. PGP-email-ds. PGP email digital signature. 3455 6. PGP-file-ds. PGP file digital signature. 3457 7. PGP-email-ds-watchlist. Watchlist of PGP email digital 3458 signatures. 3460 8. PGP-file-ds-watchlist. Watchlist of PGP file digital 3461 signatures 3463 9. file-hash. A file hash. 3465 10. email-hash. An email hash. 3467 11. file-hash-watchlist. Watchlist of file hashes 3469 12. email-hash-watchlist. Watchlist of email hashes 3471 13. ext-value. An escape value used to extend this attribute. 3472 See Section 5.1. 3474 ext-type 3475 Optional. STRING. A means by which to extend the type attribute. 3476 See Section 5.1. 3478 valid 3479 Optional. BOOLEAN. Indicates if the signature or hash is valid. 3481 indicator-uid 3482 Optional. STRING. See Section 3.3.2. 3484 indicator-set-id 3485 Optional. STRING. See Section 3.3.2. 3487 4. Processing Considerations 3489 This section defines additional requirements on creating and parsing 3490 IODEF documents. 3492 4.1. Encoding 3494 Every IODEF document MUST begin with an XML declaration, and MUST 3495 specify the XML version used. If UTF-8 encoding is not used, the 3496 character encoding MUST also be explicitly specified. The IODEF 3497 conforms to all XML data encoding conventions and constraints. 3499 The XML declaration with no character encoding will read as follows: 3501 3503 When a character encoding is specified, the XML declaration will read 3504 like the following: 3506 3508 Where "charset" is the name of the character encoding as registered 3509 with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. 3511 The following characters have special meaning in XML and MUST be 3512 escaped with their entity reference equivalent: "&", "<", ">", "\"" 3513 (double quotation mark), and "'" (apostrophe). These entity 3514 references are "&", "<", ">", """, and "'" 3515 respectively. 3517 4.2. IODEF Namespace 3519 The IODEF schema declares a namespace of 3520 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 3521 Each IODEF document MUST include a valid reference to the IODEF 3522 schema using the "xsi:schemaLocation" attribute. An example of such 3523 a declaration would look as follows: 3525 3615 A given extension attribute MUST NOT be set unless the corresponding 3616 extensible attribute has been set to "ext-value". 3618 5.2. Extending Classes 3620 The classes of the data model can be extended only through the use of 3621 the AdditionalData and RecordItem classes. These container classes, 3622 collectively referred to as the extensible classes, are implemented 3623 with the iodef:ExtensionType data type in the schema. They provide 3624 the ability to have new atomic or XML-encoded data elements in all of 3625 the top-level classes of the Incident class and a few of the more 3626 complicated subordinate classes. As there are multiple instances of 3627 the extensible classes in the data model, there is discretion on 3628 where to add a new data element. It is RECOMMENDED that the 3629 extension be placed in the most closely related class to the new 3630 information. 3632 Extensions using the atomic data types (i.e., all values of the dtype 3633 attributes other than "xml") MUST: 3635 1. Set the element content of extensible class to the desired value, 3636 and 3638 2. Set the dtype attribute to correspond to the data type of the 3639 element content. 3641 The following guidelines exist for extensions using XML: 3643 1. The element content of the extensible class MUST be set to the 3644 desired value and the dtype attribute MUST be set to "xml". 3646 2. The extension schema MUST declare a separate namespace. It is 3647 RECOMMENDED that these extensions have the prefix "iodef-". This 3648 recommendation makes readability of the document easier by 3649 allowing the reader to infer which namespaces relate to IODEF by 3650 inspection. 3652 3. It is RECOMMENDED that extension schemas follow the naming 3653 convention of the IODEF data model. This makes reading an 3654 extended IODEF document look like any other IODEF document. The 3655 names of all elements are capitalized. For elements with 3656 composed names, a capital letter is used for each word. 3657 Attribute names are lower case. Attributes with composed names 3658 are separated by a hyphen. 3660 4. Parsers that encounter an unrecognized element in a namespace 3661 that they do support MUST reject the document as a syntax error. 3663 5. There are security and performance implications in requiring 3664 implementations to dynamically download schemas at run time. 3665 Thus, implementations SHOULD NOT download schemas at runtime, 3666 unless implementations take appropriate precautions and are 3667 prepared for potentially significant network, processing, and 3668 time-out demands. 3670 6. Some users of the IODEF may have private schema definitions that 3671 might not be available on the Internet. In this situation, if a 3672 IODEF document leaks out of the private use space, references to 3673 some of those document schemas may not be resolvable. This has 3674 two implications. First, references to private schemas may never 3675 resolve. As such, in addition to the suggestion that 3676 implementations do not download schemas at runtime mentioned 3677 above, recipients MUST be prepared for a schema definition in an 3678 IODEF document never to resolve. 3680 The following schema and XML document excerpt provide a template for 3681 an extension schema and its use in the IODEF document. 3683 This example schema defines a namespace of "iodef-extension1" and a 3684 single element named "newdata". 3686 3690 attributeFormDefault="unqualified" 3691 elementFormDefault="qualified"> 3692 3696 3697 3699 The following XML excerpt demonstrates the use of the above schema as 3700 an extension to the IODEF. 3702 3709 3710 ... 3711 3712 3713 Field that could not be represented elsewhere 3714 3715 3716 3768 3770 3774 3775 189493 3776 2001-09-13T23:19:24+00:00 3777 Host sending out Code Red probes 3778 3779 3780 3782 3783 3784 Example.com CSIRT 3785 example-com 3786 contact@csirt.example.com 3787 3788 3789 3790 3791 3792
192.0.2.200
3793 57 3794 3795 3796 3797 3798
192.0.2.16/28
3799 3800 3801 80 3802 3803 3804 3805 3806 3807 3808 3809 2001-09-13T18:11:21+02:00 3810 Web-server logs 3811 3812 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? 3813 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3814 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3815 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3816 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3817 3818 3819 3820 http://mylogs.example.com/logs/httpd_access 3821 3822 3823 3824 3825 3827 3828 2001-09-14T08:19:01+00:00 3829 Notification sent to 3830 constituency-contact@192.0.2.200 3831 3832 3833 3834 3836 7.2. Reconnaissance 3838 An example of a CSIRT reporting a scanning activity. 3840 3841 3843 3847 3848 59334 3849 2006-08-02T05:54:02-05:00 3850 3851 3852 3853 3854 3855 3856 nmap 3857 http://nmap.toolsite.example.com 3858 3859 3860 3862 3863 CSIRT for example.com 3864 contact@csirt.example.com 3865 +1 412 555 12345 3866 3868 3869 Joe Smith 3870 smith@csirt.example.com 3871 3872 3873 3874 3880 3881 3882 3883
192.0.2.200
3884 3885 3886 60524,60526,60527,60531 3887 3888 3889 3890 3891
192.0.2.201
3892 3893 3894 137-139,445 3895 3896 3897 3898 3900 3901 3902 3903
192.0.2.240
3904 3905 3906 3907 3908
192.0.2.64/28
3909 3910 3911 445 3912 3913 3914 3915 3916 3917 3919 7.3. Bot-Net Reporting 3921 An example of a CSIRT reporting a bot-network. 3923 3924 3926 3930 3931 908711 3932 2006-06-08T05:44:53-05:00 3933 Large bot-net 3934 3935 3936 3937 3938 3939 3940 GT Bot 3941 3942 3944 3945 CA-2003-22 3946 http://www.cert.org/advisories/CA-2003-22.html 3947 Root compromise via this IE vulnerability to 3948 install the GT Bot 3949 3950 3951 3953 3954 Joe Smith 3955 jsmith@csirt.example.com 3956 3957 3958 These hosts are compromised and acting as bots 3959 communicating with irc.example.com. 3960 3961 3963 3964 3965
192.0.2.1
3967 3968 10000 3969 bot 3970 3971 3972 3973 3974
192.0.2.3
3975 3976 250000 3977 bot 3978 3979 3980 3981 3982 irc.example.com 3983
192.0.2.20
3984 2006-06-08T01:01:03-05:00 3985 3986 3987 IRC server on #give-me-cmd channel 3988 3989 3990 3991 3992 3993 3994 Confirm the source and take machines off-line and 3995 remediate 3996 3997 3998 3999 4000 4002 7.4. Watch List 4004 An example of a CSIRT conveying a watch-list. 4006 4007 4008 4011 4015 4016 908711 4017 2006-08-01T00:00:00-05:00 4018 4019 Watch-list of known bad IPs or networks 4020 4021 4022 4023 4024 4025 4026 CSIRT for example.com 4027 contact@csirt.example.com 4028 4029 4031 4032 4033 4034 4035
192.0.2.53
4036 4037 Source of numerous attacks 4038 4039 4040 4042 4043 4044 4045 4046 4047 4048
192.0.2.16/28
4049 4050 4051 Source of heavy scanning over past 1-month 4052 4053 4054 4055 4056 4057 4058
192.0.2.241
4059 4060 C2 IRC server 4062 4063 4064 4066 4067 4068 4069 4071 8. The IODEF Schema 4073 4080 4083 4084 4085 Incident Object Description Exchange Format v2.0, RFC5070-bis 4086 4087 4089 4120 4125 4126 4127 4128 4130 4132 4133 4135 4137 4139 4140 4141 4146 4147 4148 4149 4150 4152 4154 4156 4158 4160 4161 4163 4165 4167 4169 4171 4173 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184 4185 4186 4187 4188 4190 4192 4194 4196 4198 4199 4200 4205 4206 4207 4208 4209 4211 4213 4216 4217 4218 4220 4225 4226 4227 4228 4230 4231 4233 4234 4236 4241 4242 4243 4244 4246 4247 4249 4250 4251 4256 4257 4258 4259 4260 4262 4264 4266 4268 4269 4271 4273 4275 4276 4278 4279 4281 4286 4287 4288 4289 4290 4291 4292 4294 4295 4297 4298 4300 4301 4303 4304 4305 4307 4312 4313 4314 4315 4316 4317 4318 4320 4321 4323 4324 4326 4327 4329 4330 4331 4333 4338 4339 4344 4345 4346 4347 4350 4352 4354 4356 4358 4360 4362 4364 4366 4368 4370 4371 4372 4373 4374 4375 4376 4377 4378 4379 4380 4381 4382 4383 4384 4385 4386 4387 4388 4389 4390 4391 4392 4394 4395 4396 4397 4398 4399 4400 4401 4402 4403 4405 4407 4408 4409 4411 4413 4414 4415 4416 4417 4418 4419 4420 4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4433 4434 4435 4436 4438 4439 4440 4441 4442 4444 4445 4447 4448 4449 4450 4451 4453 4454 4455 4456 4458 4459 4460 4462 4467 4469 4471 4473 4475 4477 4479 4480 4481 4482 4483 4484 4489 4490 4491 4492 4494 4495 4498 4499 4500 4501 4502 4503 4504 4506 4508 4510 4513 4515 4516 4518 4520 4522 4524 4526 4527 4528 4533 4534 4535 4536 4538 4541 4544 4546 4548 4549 4552 4554 4556 4558 4560 4562 4563 4564 4569 4570 4571 4572 4573 4574 4575 4576 4578 4579 4581 4582 4583 4588 4589 4590 4591 4593 4595 4597 4598 4605 4607 4609 4610 4612 4613 4615 4616 4618 4623 4624 4625 4626 4627 4628 4629 4630 4631 4632 4634 4635 4637 4638 4639 4640 4641 4642 4643 4644 4645 4646 4648 4650 4652 4653 4654 4655 4656 4657 4658 4660 4661 4662 4663 4664 4665 4666 4667 4668 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4680 4681 4682 4683 4684 4685 4686 4687 4689 4690 4691 4692 4693 4694 4695 4696 4697 4699 4700 4701 4702 4703 4704 4705 4706 4707 4708 4709 4710 4712 4714 4715 4716 4717 4718 4719 4720 4721 4722 4723 4724 4725 4726 4727 4728 4729 4731 4732 4733 4734 4735 4736 4737 4738 4739 4741 4743 4744 4745 4746 4747 4748 4749 4750 4751 4752 4754 4756 4758 4759 4760 4761 4762 4763 4764 4765 4766 4768 4770 4771 4772 4773 4774 4775 4776 4777 4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4794 4795 4796 4797 4799 4801 4803 4805 4807 4809 4811 4813 4815 4817 4819 4821 4822 4825 4827 4829 4830 4832 4837 4841 4842 4843 4844 4846 4847 4848 4849 4854 4855 4856 4857 4858 4860 4862 4864 4866 4868 4870 4871 4873 4875 4876 4877 4878 4879 4880 4882 4883 4884 4885 4886 4887 4888 4889 4890 4891 4893 4895 4897 4899 4901 4902 4903 4904 4905 4906 4907 4908 4909 4910 4911 4912 4913 4914 4916 4917 4918 4923 4924 4925 4926 4927 4929 4931 4933 4935 4936 4938 4940 4942 4944 4946 4947 4948 4949 4950 4951 4952 4953 4954 4955 4956 4957 4958 4959 4960 4961 4962 4963 4964 4965 4966 4967 4968 4969 4970 4971 4973 4975 4977 4979 4981 4982 4983 4984 4985 4986 4987 4988 4989 4990 4991 4992 4993 4994 4995 4996 4997 4998 4999 5000 5001 5002 5003 5004 5005 5006 5007 5008 5009 5010 5011 5012 5013 5014 5015 5016 5017 5018 5019 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5035 5037 5038 5039 5040 5041 5046 5047 5048 5049 5050 5052 5054 5055 5057 5059 5061 5064 5067 5068 5070 5073 5074 5076 5078 5080 5081 5083 5085 5087 5088 5089 5090 5091 5092 5093 5094 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5122 5124 5126 5128 5129 5130 5131 5133 5138 5139 5140 5141 5143 5145 5147 5150 5151 5153 5155 5156 5158 5163 5164 5165 5166 5168 5171 5174 5177 5180 5182 5184 5186 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5214 5215 5218 5220 5222 5223 5225 5227 5228 5229 5230 5231 5232 5233 5234 5235 5236 5237 5238 5239 5240 5241 5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5276 5277 5278 5280 5281 5282 5283 5284 5285 5286 5287 5289 5290 5291 5292 5294 5296 5297 5298 5300 5305 5306 5307 5308 5310 5311 5314 5315 5316 5317 5318 5319 5321 5323 5325 5327 5329 5331 5333 5335 5336 5338 5340 5342 5343 5345 5346 5347 5348 5349 5350 5351 5352 5353 5354 5355 5356 5357 5358 5359 5361 5363 5365 5366 5367 5368 5369 5370 5371 5372 5373 5375 5377 5378 5379 5380 5381 5383 5388 5389 5390 5391 5392 5393 5394 5396 5397 5399 5400 5401 5402 5403 5404 5405 5406 5407 5408 5409 5411 5412 5413 5414 5416 5417 5418 5419 5421 5423 5424 5426 5434 5435 5436 5437 5439 5441 5447 5449 5451 5453 5455 5456 5457 5458 5459 5460 5461 5462 5463 5464 5465 5466 5467 5468 5469 5470 5471 5474 5475 5476 5477 5478 5480 5482 5484 5486 5488 5489 5491 5496 5497 5498 5500 5501 5503 5505 5508 5510 5512 5517 5519 5521 5523 5524 5526 5529 5534 5536 5538 5543 5544 5545 5546 5547 5549 5550 5551 5552 5554 5555 5557 5559 5560 5561 5563 5564 5566 5568 5570 5572 5574 5576 5577 5578 5580 5581 5583 5585 5588 5590 5592 5594 5599 5600 5601 5602 5603 5604 5605 5606 5607 5608 5609 5610 5611 5613 5614 5615 5616 5617 5618 5619 5620 5621 5622 5623 5624 5625 5627 5628 5629 5630 5631 5632 5633 5634 5635 5636 5637 5638 5639 5640 5641 5642 5643 5644 5645 5647 5648 5649 5650 5651 5652 5653 5654 5655 5656 5657 5658 5659 5660 5661 5662 5663 5664 5665 5666 5667 5668 5670 5671 5672 5673 5674 5675 5676 5677 5678 5679 5680 5681 5682 5683 5684 5685 5686 5687 5688 5689 5690 5691 5692 5693 5694 5696 5697 5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720 5721 5722 5723 5724 5725 5726 5728 9. Security Considerations 5730 The IODEF data model itself does not directly introduce security 5731 issues. Rather, it simply defines a representation for incident 5732 information. As the data encoded by the IODEF might be considered 5733 privacy sensitive by the parties exchanging the information or by 5734 those described by it, care needs to be taken in ensuring the 5735 appropriate disclosure during both document exchange and subsequent 5736 processing. The former must be handled by a messaging format, but 5737 the latter risk must be addressed by the systems that process, store, 5738 and archive IODEF documents and information derived from them. 5740 Executable content could be embedded into the IODEF document directly 5741 or through an extension. The IODEF parser should handle this content 5742 with care to prevent unintentional automated execution. 5744 The contents of an IODEF document may include a request for action or 5745 an IODEF parser may independently have logic to take certain actions 5746 based on information that it finds. For this reason, care must be 5747 taken by the parser to properly authenticate the recipient of the 5748 document and ascribe an appropriate confidence to the data prior to 5749 action. 5751 The underlying messaging format and protocol used to exchange 5752 instances of the IODEF MUST provide appropriate guarantees of 5753 confidentiality, integrity, and authenticity. The use of a 5754 standardized security protocol is encouraged. The Real-time Inter- 5755 network Defense (RID) protocol [RFC6545] and its associated transport 5756 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 5758 In order to suggest data processing and handling guidelines of the 5759 encoded information, the IODEF allows a document sender to convey a 5760 privacy policy using the restriction attribute. The various 5761 instances of this attribute allow different data elements of the 5762 document to be covered by dissimilar policies. While flexible, it 5763 must be stressed that this approach only serves as a guideline from 5764 the sender, as the recipient is free to ignore it. The issue of 5765 enforcement is not a technical problem. 5767 10. IANA Considerations 5769 This document uses URNs to describe an XML namespace and schema 5770 conforming to a registry mechanism described in [RFC3688] 5772 Registration for the IODEF namespace: 5774 o URI: urn:ietf:params:xml:ns:iodef-2.0 5776 o Registrant Contact: See the first author of the "Author's Address" 5777 section of this document. 5779 o XML: None. Namespace URIs do not represent an XML specification. 5781 Registration for the IODEF XML schema: 5783 o URI: urn:ietf:params:xml:schema:iodef-2.0 5785 o Registrant Contact: See the first author of the "Author's Address" 5786 section of this document. 5788 o XML: See the "IODEF Schema" in Section 8 of this document. 5790 11. Acknowledgments 5792 The following groups and individuals, listed alphabetically, 5793 contributed substantially to this document and should be recognized 5794 for their efforts. 5796 o Kathleen Moriarty, EMC Corporation 5798 o Brian Trammell, ETH Zurich 5800 o Patrick Cain, Cooper-Cain Group, Inc. 5802 o ... TODO many more to add ... 5804 12. References 5806 12.1. Normative References 5808 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 5809 (XML) 1.0 (Second Edition)", W3C Recommendation , October 5810 2000, . 5812 [W3C.SCHEMA] 5813 World Wide Web Consortium, "XML XML Schema Part 1: 5814 Structures Second Edition", W3C Recommendation , October 5815 2004, . 5817 [W3C.SCHEMA.DTYPES] 5818 World Wide Web Consortium, "XML Schema Part 2: Datatypes 5819 Second Edition", W3C Recommendation , October 2004, 5820 . 5822 [W3C.XMLNS] 5823 World Wide Web Consortium, "Namespaces in XML", W3C 5824 Recommendation , January 1999, 5825 . 5827 [W3C.XPATH] 5828 World Wide Web Consortium, "XML Path Language (XPath) 5829 2.0", W3C Candidate Recommendation , June 2006, 5830 . 5832 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 5833 Requirement Levels", RFC 2119, March 1997. 5835 [RFC4646] Philips, A. and M. Davis, "Tags for Identifying of 5836 Languages", RFC 4646, September 2006. 5838 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 5839 Resource Identifiers (URI): Generic Syntax", RFC 3986, 5840 January 2005`. 5842 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 5843 Procedures", BCP 2978, October 2000. 5845 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 5846 June 2006. 5848 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 5849 2008. 5851 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 5852 Timestamps", RFC 3339, July 2002. 5854 [ISO8601] International Organization for Standardization, 5855 "International Standard: Data elements and interchange 5856 formats - Information interchange - Representation of 5857 dates and times", ISO 8601, Second Edition, December 2000. 5859 [ISO4217] International Organization for Standardization, 5860 "International Standard: Codes for the representation of 5861 currencies and funds, ISO 4217:2001", ISO 4217:2001, 5862 August 2001. 5864 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 5865 2004. 5867 [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup 5868 Language) XML-Signature Syntax and Processing", RFC 3275, 5869 March 2002. 5871 [IANA.Ports] 5872 Internet Assigned Numbers Authority, "Service Name and 5873 Transport Protocol Port Number Registry", January 2014, 5874 . 5878 [IANA.Protocols] 5879 Internet Assigned Numbers Authority, "Assigned Internet 5880 Protocol Numbers", January 2014, . 5883 12.2. Informative References 5885 [refs.requirements] 5886 Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements 5887 for the Format for Incident Information Exchange (FINE)", 5888 Work in Progress, June 2006. 5890 [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, 5891 "Intrusion Detection Message Exchange Format", RFC 4765, 5892 March 2007. 5894 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 5895 6545, April 2012. 5897 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 5898 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 5899 2012. 5901 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 5902 Class for Reporting Phishing", RFC 5901, July 2010. 5904 [NIST800.61rev2] 5905 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 5906 "NIST Special Publication 800-61 Revision 2: Computer 5907 Security Incident Handling Guide", January 2012, 5908 . 5911 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 5912 Type for the Internet Registry Information Service 5913 (IRIS)", RFC 3982, January 2005. 5915 [KB310516] 5916 Microsoft Corporation, "How to add, modify, or delete 5917 registry subkeys and values by using a registration 5918 entries (.reg) file", December 2007. 5920 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 5921 Separated Values (CSV) File", RFC 4180, October 2005. 5923 Authors' Addresses 5925 Roman Danyliw 5926 CERT - Software Engineering Institute 5927 Pittsburgh, PA 5928 USA 5930 EMail: rdd@cert.org 5932 Paul Stoecker 5933 RSA 5934 Reston, VA 5935 USA 5937 EMail: paul.stoecker@rsa.com