idnits 2.17.1 draft-ietf-mile-rfc5070-bis-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 13 characters in excess of 72. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 9, 2014) is 3457 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 5090, but not defined == Missing Reference: '0-4' is mentioned on line 5090, but not defined == Missing Reference: '0-5' is mentioned on line 5090, but not defined == Unused Reference: 'RFC3275' is defined on line 6790, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'RFC-ENUM' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO8601' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' -- Obsolete informational reference (is this intentional?): RFC 5070 (Obsoleted by RFC 7970) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) P. Stoecker 5 Intended status: Standards Track RSA 6 Expires: May 13, 2015 November 9, 2014 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-10 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation for sharing information commonly exchanged by 15 Computer Security Incident Response Teams (CSIRTs) about computer 16 security incidents. This document describes the information model 17 for the IODEF and provides an associated data model specified with 18 XML Schema. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on May 13, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 67 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 69 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 70 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 71 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 77 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 78 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 10 79 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 80 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10 81 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 82 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 83 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 84 2.12. Person or Organization . . . . . . . . . . . . . . . . . 11 85 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11 86 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11 87 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 88 2.16. Identifiers and Identifier References . . . . . . . . . . 12 89 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 12 90 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12 91 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13 92 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 16 93 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 16 94 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 17 95 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17 96 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 18 97 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18 98 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 20 99 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20 100 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21 101 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23 102 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26 103 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27 104 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28 105 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28 106 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29 107 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29 108 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29 109 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29 110 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29 111 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29 112 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30 113 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31 114 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32 115 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 33 116 3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 35 117 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 37 118 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 39 119 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 40 120 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 41 121 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 42 122 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 43 123 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 44 124 3.16.1. Relating the Incident and EventData Classes . . . . 47 125 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 47 126 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 48 127 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 51 128 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 51 129 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 54 130 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 55 131 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 56 132 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 59 133 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 60 134 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 63 135 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 63 136 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 64 137 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 64 138 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 66 139 3.22.2. Application Class . . . . . . . . . . . . . . . . . 67 140 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 69 141 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 69 142 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 70 143 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 70 144 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 72 145 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 73 146 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 73 147 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 74 148 3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 75 149 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 75 150 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 76 151 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 76 152 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 77 153 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 79 154 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 80 155 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 80 156 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 81 157 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 81 158 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 83 159 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 84 160 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 84 161 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 86 162 3.32.5. ObservableReference Class . . . . . . . . . . . . . 88 163 3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 88 164 4. Processing Considerations . . . . . . . . . . . . . . . . . . 89 165 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 89 166 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 89 167 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 90 168 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 91 169 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 91 170 5.1. Extending the Enumerated Values of Attributes . . . . . . 92 171 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 92 172 6. Internationalization Issues . . . . . . . . . . . . . . . . . 94 173 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 95 174 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 95 175 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 96 176 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 98 177 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 100 178 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 101 179 9. Security Considerations . . . . . . . . . . . . . . . . . . . 139 180 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 139 181 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 140 182 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 140 183 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 142 184 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 143 185 12.1. Normative References . . . . . . . . . . . . . . . . . . 143 186 12.2. Informative References . . . . . . . . . . . . . . . . . 145 188 1. Introduction 190 Organizations require help from other parties to mitigate malicious 191 activity targeting their network and to gain insight into potential 192 threats. This coordination might entail working with an ISP to 193 filter attack traffic, contacting a remote site to take down a bot- 194 network, or sharing watch-lists of known malicious IP addresses in a 195 consortium. 197 The Incident Object Description Exchange Format (IODEF) is a format 198 for representing computer security information commonly exchanged 199 between Computer Security Incident Response Teams (CSIRTs). It 200 provides an XML representation for conveying: 202 o cyber intelligence to characterize threats; 204 o cyber incident reports to document particular cyber security 205 events or relationships between events; 207 o cyber event mitigation to request proactive and reactive 208 mitigation approaches to cyber intelligence or incidents; and 210 o cyber information sharing meta-data so that these various classes 211 of information can be exchanged among parties. 213 The data model encodes information about hosts, networks, and the 214 services running on these systems; attack methodology and associated 215 forensic evidence; impact of the activity; and limited approaches for 216 documenting workflow. 218 The overriding purpose of the IODEF is to enhance the operational 219 capabilities of CSIRTs. Community adoption of the IODEF provides an 220 improved ability to resolve incidents and convey situational 221 awareness by simplifying collaboration and data sharing. This 222 structured format provided by the IODEF allows for: 224 o increased automation in processing of incident data, since the 225 resources of security analysts to parse free-form textual 226 documents will be reduced; 228 o decreased effort in normalizing similar data (even when highly 229 structured) from different sources; and 231 o a common format on which to build interoperable tools for incident 232 handling and subsequent analysis, specifically when data comes 233 from multiple constituencies. 235 Coordinating with other CSIRTs is not strictly a technical problem. 236 There are numerous procedural, trust, and legal considerations that 237 might prevent an organization from sharing information. The IODEF 238 does not attempt to address them. However, operational 239 implementations of the IODEF will need to consider this broader 240 context. 242 Sections 3 and 8 specify the IODEF data model with text and an XML 243 schema. The types used by the data model are covered in Section 2. 244 Processing considerations, the handling of extensions, and 245 internationalization issues related to the data model are covered in 246 Sections 4, 5, and 6, respectively. Examples are listed in 247 Section 7. Section 1 provides the background for the IODEF, and 248 Section 9 documents the security considerations. 250 1.1. Changes from 5070 252 This document contains changes with respect to its predecessor 253 RFC5070. 255 o All of the RFC5070 Errata was implemented. 257 o Imported the xmlns:ds namespace to include digital signature hash 258 classes. 260 o The following classes were added to IODEF-Document: 261 AdditionalData. 263 o The following class was added to Incident: IndicatorData. 265 o The following classes were added to Incident and EventData: 266 Discovery. 268 o The following classes and attributes were added to the Service 269 class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, 270 and @ownership. Service@ip_protocol was renamed to @ip-protocol. 272 o The following classes were added to the Record class: HashData and 273 WindowsRegistryKeysModified. 275 o The following classes were added to the RelatedActivity class: 276 ThreatActor, Campaign, Confidence, Description, and 277 AdditionalData. 279 o The following classes were added to Assessment: IncidentCategory, 280 SystemImpact, BusinessImpact, IntendedImpact and MitigatingFactor. 282 o The following classes were added to Node: PostalAddress and 283 DomainData. The following classes were removed from Node: Removed 284 NodeName and DateTime. 286 o The following classes were added to the Contact class: 287 ContactTitle. 289 o The following classes were added to Expectation and HistoryItem: 290 DefinedCOA. 292 o Additional enumerated values were added to the following 293 attributes: @restriction, {Expectation, HistoryItem}@action, 294 NodeRole@category, Incident@purpose, Contact@role, 295 AdditionalData@dtype, System@spoofed. 297 o Removed all "ext-" attributes in favor of using an IANA registry 298 for extending attributes. 300 o Removed Impact class in favor of using SystemImpact and 301 IncidentCategory. 303 1.2. Terminology 305 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 306 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 307 document are to be interpreted as described in [RFC2119]. 309 Definitions for some of the common computer security-related 310 terminology used in this document can be found in Section 2 of 311 [refs.requirements]. 313 1.3. Notations 315 The normative IODEF data model is specified with the text in 316 Section 3 and the XML schema in Section 8. To help in the 317 understanding of the data elements, Section 3 also depicts the 318 underlying information model using Unified Modeling Language (UML). 319 This abstract presentation of the IODEF is not normative. 321 For clarity in this document, the term "XML document" will be used 322 when referring generically to any instance of an XML document. The 323 term "IODEF document" will be used to refer to specific elements and 324 attributes of the IODEF schema. The terms "class" and "element" will 325 be used interchangeably to reference either the corresponding data 326 element in the information or data models, respectively. 328 1.4. About the IODEF Data Model 330 The IODEF data model is a data representation that provides a 331 framework for sharing information commonly exchanged by CSIRTs about 332 computer security incidents. A number of considerations were made in 333 the design of the data model. 335 o The data model serves as a transport format. Therefore, its 336 specific representation is not the optimal representation for on- 337 disk storage, long-term archiving, or in-memory processing. 339 o As there is no precise widely agreed upon definition for an 340 incident, the data model does not attempt to dictate one through 341 its implementation. Rather, a broad understanding is assumed in 342 the IODEF that is flexible enough to encompass most operators. 344 o Describing an incident for all definitions would require an 345 extremely complex data model. Therefore, the IODEF only intends 346 to be a framework to convey commonly exchanged incident 347 information. It ensures that there are ample mechanisms for 348 extensibility to support organization-specific information, and 349 techniques to reference information kept outside of the explicit 350 data model. 352 o The domain of security analysis is not fully standardized and must 353 rely on free-form textual descriptions. The IODEF attempts to 354 strike a balance between supporting this free-form content, while 355 still allowing automated processing of incident information. 357 o The IODEF is only one of several security relevant data 358 representations being standardized. Attempts were made to ensure 359 they were complementary. The data model of the Intrusion 360 Detection Message Exchange Format [RFC4765] influenced the design 361 of the IODEF. 363 Further discussion of the desirable properties for the IODEF can be 364 found in the Requirements for the Format for Incident Information 365 Exchange (FINE) [refs.requirements]. 367 1.5. About the IODEF Implementation 369 The IODEF implementation is specified as an Extensible Markup 370 Language (XML) [W3C.XML] Schema [W3C.SCHEMA]. 372 Implementing the IODEF in XML provides numerous advantages. Its 373 extensibility makes it ideal for specifying a data encoding framework 374 that supports various character encodings. Likewise, the abundance 375 of related technologies (e.g., XSL, XPath, XML-Signature) makes for 376 simplified manipulation. However, XML is fundamentally a text 377 representation, which makes it inherently inefficient when binary 378 data must be embedded or large volumes of data must be exchanged. 380 2. IODEF Data Types 382 The various data elements of the IODEF data model are typed. This 383 section discusses these data types. When possible, native Schema 384 data types were adopted, but for more complicated formats, regular 385 expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external 386 standards were used. 388 2.1. Integers 390 An integer is represented by the INTEGER data type. Integer data 391 MUST be encoded in Base 10. 393 The INTEGER data type is implemented as an "xs:integer" in 394 [W3C.SCHEMA.DTYPES]. 396 2.2. Real Numbers 398 Real (floating-point) attributes are represented by the REAL data 399 type. Real data MUST be encoded in Base 10. 401 The REAL data type is implemented as an "xs:float" in 402 [W3C.SCHEMA.DTYPES]. 404 2.3. Characters and Strings 406 A single character is represented by the CHARACTER data type. A 407 character string is represented by the STRING data type. Special 408 characters must be encoded using entity references. See Section 4.1. 410 The CHARACTER and STRING data types are implement as an "xs:string" 411 in [W3C.SCHEMA.DTYPES]. 413 2.4. Multilingual Strings 415 STRING data that represents multi-character attributes in a language 416 different than the default encoding of the document is of the 417 ML_STRING data type. 419 The ML_STRING data type is implemented as an "iodef:MLStringType" in 420 the schema. 422 2.5. Bytes 424 A binary octet is represented by the BYTE data type. A sequence of 425 binary octets is represented by the BYTE[] data type. These octets 426 are encoded using base64. 428 The BYTE data type is implemented as an "xs:base64Binary" in 429 [W3C.SCHEMA.DTYPES]. 431 2.6. Hexadecimal Bytes 433 A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. 434 This octet is encoded as a character tuple consisting of two 435 hexadecimal digits. 437 The HEXBIN data type is implemented as an "xs:hexBinary" in 438 [W3C.SCHEMA.DTYPES]. 440 2.7. Enumerated Types 442 Enumerated types are represented by the ENUM data type, and consist 443 of an ordered list of acceptable values. Each value has a 444 representative keyword. Within the IODEF schema, the enumerated type 445 keywords are used as attribute values. 447 The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 448 schema. 450 2.8. Date-Time Strings 452 Date-time strings are represented by the DATETIME data type. Each 453 date-time string identifies a particular instant in time. Ranges are 454 not supported. 456 Date-time strings are formatted according to a subset of [ISO8601] 457 documented in [RFC3339]. 459 The DATETIME data type is implemented as an "xs:dateTime" in the 460 schema. 462 2.9. Timezone String 464 A timezone offset from UTC is represented by the TIMEZONE data type. 465 It is formatted according to the following regular expression: 466 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 468 The TIMEZONE data type is implemented as an "xs:string" with a 469 regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular 470 expression is identical to the timezone representation implemented in 471 an "xs:dateTime". 473 2.10. Port Lists 475 A list of network ports are represented by the PORTLIST data type. A 476 PORTLIST consists of a comma-separated list of numbers and ranges 477 (N-M means ports N through M, inclusive). It is formatted according 478 to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". 479 For example, "2,5-15,30,32,40-50,55-60". 481 The PORTLIST data type is implemented as an "xs:string" with a 482 regular expression constraint in the schema. 484 2.11. Postal Address 486 A postal address is represented by the POSTAL data type. This data 487 type is an ML_STRING whose format is documented in Section 2.23 of 488 [RFC4519]. It defines a postal address as a free-form multi-line 489 string separated by the "$" character. 491 The POSTAL data type is implemented as an "xs:string" in the schema. 493 2.12. Person or Organization 495 The name of an individual or organization is represented by the NAME 496 data type. This data type is an ML_STRING whose format is documented 497 in Section 2.3 of [RFC4519]. 499 The NAME data type is implemented as an "xs:string" in the schema. 501 2.13. Telephone and Fax Numbers 503 A telephone or fax number is represented by the PHONE data type. The 504 format of the PHONE data type is documented in Section 2.35 of 505 [RFC4519]. 507 The PHONE data type is implemented as an "xs:string" in the schema. 509 2.14. Email String 511 An email address is represented by the EMAIL data type. The format 512 of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. 514 The EMAIL data type is implemented as an "xs:string" in the schema. 516 2.15. Uniform Resource Locator strings 518 A uniform resource locator (URL) is represented by the URL data type. 519 The format of the URL data type is documented in [RFC3986]. 521 The URL data type is implemented as an "xs:anyURI" in the schema. 523 2.16. Identifiers and Identifier References 525 An identifier unique to the Document is represented by the ID data 526 type. A reference to this identifier is represented by the IDREF 527 data type. The acceptable format of ID and IDREF is documented in 528 Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES]. 530 The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF" 531 in the schema. 533 3. The IODEF Data Model 535 In this section, the individual components of the IODEF data model 536 will be discussed in detail. For each class, the semantics will be 537 described and the relationship with other classes will be depicted 538 with UML. When necessary, specific comments will be made about 539 corresponding definition in the schema in Section 8 541 3.1. IODEF-Document Class 543 The IODEF-Document class is the top level class in the IODEF data 544 model. All IODEF documents are an instance of this class. 546 +-----------------+ 547 | IODEF-Document | 548 +-----------------+ 549 | STRING version |<>--{1..*}--[ Incident ] 550 | ENUM lang |<>--{0..*}--[ AdditionalData ] 551 | STRING formatid | 552 +-----------------+ 554 Figure 1: IODEF-Document Class 556 The aggregate class that constitute IODEF-Document is: 558 Incident 559 One or more. The information related to a single incident. 561 AdditionalData 562 Zero or more. Mechanism by which to extend the data model. See 563 Section 3.9 565 The IODEF-Document class has three attributes: 567 version 568 Required. STRING. The IODEF specification version number to 569 which this IODEF document conforms. The value of this attribute 570 MUST be "2.00" 572 lang 573 Required. ENUM. A valid language code per [RFC5646] constrained 574 by the definition of "xs:language". The interpretation of this 575 code is described in Section 6. 577 formatid 578 Optional. STRING. A free-form string to convey processing 579 instructions to the recipient of the document. Its semantics must 580 be negotiated out-of-band. 582 3.2. Incident Class 584 Every incident is represented by an instance of the Incident class. 585 This class provides a standardized representation for commonly 586 exchanged incident data. 588 +-------------------------+ 589 | Incident | 590 +-------------------------+ 591 | ENUM purpose |<>----------[ IncidentID ] 592 | ENUM lang |<>--{0..1}--[ AlternativeID ] 593 | ENUM restriction |<>--{0..*}--[ RelatedActivity ] 594 | STRING observable-id |<>--{0..1}--[ DetectTime ] 595 | |<>--{0..1}--[ StartTime ] 596 | |<>--{0..1}--[ EndTime ] 597 | |<>--{0..1}--{ RecoveryTime ] 598 | |<>----------[ ReportTime ] 599 | |<>--{0..1}--[ GenerationTime ] 600 | |<>--{0..*}--[ Description ] 601 | |<>--{0..*} [ Discovery ] 602 | |<>--{1..*}--[ Assessment ] 603 | |<>--{0..*}--[ Method ] 604 | |<>--{1..*}--[ Contact ] 605 | |<>--{0..*}--[ EventData ] 606 | |<>--{0..*}--[ IndicatorData ] 607 | |<>--{0..1}--[ History ] 608 | |<>--{0..*}--[ AdditionalData ] 609 +-------------------------+ 611 Figure 2: The Incident Class 613 The aggregate classes that constitute Incident are: 615 IncidentID 616 One. An incident tracking number assigned to this incident by the 617 CSIRT that generated the IODEF document. 619 AlternativeID 620 Zero or one. The incident tracking numbers used by other CSIRTs 621 to refer to the incident described in the document. 623 RelatedActivity 624 Zero or more. Related activity and attribution of this activity. 626 DetectTime 627 Zero or one. The time the incident was first detected. 629 StartTime 630 Zero or one. The time the incident started. 632 EndTime 633 Zero or one. The time the incident ended. 635 RecoveryTime 636 Zero or one. The time the site recovered from the incident. 638 ReportTime 639 One. The time the incident was reported. 641 GenerationTime 642 One. The time the content in this Incident class was generated. 644 Description 645 Zero or more. ML_STRING. A free-form textual description of the 646 incident. 648 Discovery 649 Zero or more. The means by which this incident was detected. 651 Assessment 652 One or more. A characterization of the impact of the incident. 654 Method 655 Zero or more. The techniques used by the intruder in the 656 incident. 658 Contact 659 One or more. Contact information for the parties involved in the 660 incident. 662 EventData 663 Zero or more. Description of the events comprising the incident. 665 IndicatorData 666 Zero or more. Description of indicators. 668 History 669 Zero or one. A log of significant events or actions that occurred 670 during the course of handling the incident. 672 AdditionalData 673 Zero or more. Mechanism by which to extend the data model. 675 The Incident class has three attributes: 677 purpose 678 Required. ENUM. The purpose attribute represents the reason why 679 the IODEF document was created. It is closely related to the 680 Expectation class (Section 3.17). These values are maintained in 681 the "Incident-purpose" IANA registry per Table 1. This attribute 682 is defined as an enumerated list: 684 1. traceback. The document was sent for trace-back purposes. 686 2. mitigation. The document was sent to request aid in 687 mitigating the described activity. 689 3. reporting. The document was sent to comply with reporting 690 requirements. 692 4. watch. The document was sent to convey indicators to watch 693 for particular activity. 695 5. other. The document was sent for purposes specified in the 696 Expectation class. 698 lang 699 Optional. ENUM. A valid language code per [RFC5646] constrained 700 by the definition of "xs:language". The interpretation of this 701 code is described in Section 6. 703 restriction 704 Optional. ENUM. See Section 3.3.1. 706 observable-id 707 Optional. ID. See Section 3.3.2. 709 3.3. Common Attributes 711 There are a number of recurring attributes used by the data model. 712 They are documented in this section. 714 3.3.1. restriction Attribute 716 The restriction attribute indicates the disclosure guidelines to 717 which the sender expects the recipient to adhere for the information 718 represented in this class and its children. This guideline provides 719 no security since there are no specified technical means to ensure 720 that the recipient of the document handles the information as the 721 sender requested. 723 The value of this attribute is logically inherited by the children of 724 this class. That is to say, the disclosure rules applied to this 725 class, also apply to its children. 727 It is possible to set a granular disclosure policy, since all of the 728 high-level classes (i.e., children of the Incident class) have a 729 restriction attribute. Therefore, a child can override the 730 guidelines of a parent class, be it to restrict or relax the 731 disclosure rules (e.g., a child has a weaker policy than an ancestor; 732 or an ancestor has a weak policy, and the children selectively apply 733 more rigid controls). The implicit value of the restriction 734 attribute for a class that did not specify one can be found in the 735 closest ancestor that did specify a value. 737 This attribute is defined as an enumerated value with a default value 738 of "private". Note that the default value of the restriction 739 attribute is only defined in the context of the Incident class. In 740 other classes where this attribute is used, no default is specified. 742 These values are maintained in the "Restriction" IANA registry per 743 Table 1. 745 1. public. The information can be freely distributed without 746 restriction. 748 2. partner. The information may be shared within a closed community 749 of peers, partners, or affected parties, but cannot be openly 750 published. 752 3. need-to-know. The information may be shared only within the 753 organization with individuals that have a need to know. 755 4. private. The information may not be shared. 757 5. default. The information can be shared according to an 758 information disclosure policy pre-arranged by the communicating 759 parties. 761 6. white. Same as 'public'. 763 7. green. Same as 'partner'. 765 8. amber. Same as 'need-to-know'. 767 9. red. Same as 'private'. 769 3.3.2. observable-id Attribute 771 Information included in an incident report may be an observable 772 relevant to an indicator. The observable-id attribute provides a 773 unique identifier in the scope of the document for this observable. 774 This identifier can then used to reference the observable with an 775 ObservableReference class to define an indicator in the IndicatorData 776 class. 778 3.4. IncidentID Class 780 The IncidentID class represents an incident tracking number that is 781 unique in the context of the CSIRT and identifies the activity 782 characterized in an IODEF Document. This identifier would serve as 783 an index into the CSIRT incident handling system. The combination of 784 the name attribute and the string in the element content MUST be a 785 globally unique identifier describing the activity. Documents 786 generated by a given CSIRT MUST NOT reuse the same value unless they 787 are referencing the same incident. 789 +------------------+ 790 | IncidentID | 791 +------------------+ 792 | STRING | 793 | | 794 | STRING name | 795 | STRING instance | 796 | ENUM restriction | 797 +------------------+ 799 Figure 3: The IncidentID Class 801 The IncidentID class has three attributes: 803 name 804 Required. STRING. An identifier describing the CSIRT that 805 created the document. In order to have a globally unique CSIRT 806 name, the fully qualified domain name associated with the CSIRT 807 MUST be used. 809 instance 810 Optional. STRING. An identifier referencing a subset of the 811 named incident. 813 restriction 814 Optional. ENUM. See Section 3.3.1. The default value is 815 "public". 817 3.5. AlternativeID Class 819 The AlternativeID class lists the incident tracking numbers used by 820 CSIRTs, other than the one generating the document, to refer to the 821 identical activity described in the IODEF document. A tracking 822 number listed as an AlternativeID references the same incident 823 detected by another CSIRT. The incident tracking numbers of the 824 CSIRT that generated the IODEF document must never be considered an 825 AlternativeID. 827 +------------------+ 828 | AlternativeID | 829 +------------------+ 830 | ENUM restriction |<>--{1..*}--[ IncidentID ] 831 | | 832 +------------------+ 834 Figure 4: The AlternativeID Class 836 The aggregate class that constitutes AlternativeID is: 838 IncidentID 839 One or more. The incident tracking number of another CSIRT. 841 The AlternativeID class has one attribute: 843 restriction 844 Optional. ENUM. This attribute has been defined in Section 3.2. 846 3.6. RelatedActivity Class 848 The RelatedActivity class relates the information described in the 849 rest of the IODEF document to previously observed incidents or 850 activity; and allows attribution to a specific actor or campaign. 852 +------------------+ 853 | RelatedActivity | 854 +------------------+ 855 | ENUM restriction |<>--{0..*}--[ IncidentID ] 856 | |<>--{0..*}--[ URL ] 857 | |<>--{0..*}--[ ThreatActor ] 858 | |<>--{0..*}--[ Campaign ] 859 | |<>--{0..1}--[ Confidence ] 860 | |<>--{0..*}--[ Description ] 861 | |<>--{0..*}--[ AdditionalData ] 862 +------------------+ 864 Figure 5: RelatedActivity Class 866 The aggregate classes that constitutes RelatedActivity are: 868 IncidentID 869 One or more. The incident tracking number of a related incident. 871 URL 872 One or more. URL. A URL to activity related to this incident. 874 ThreatActor 875 One or more. The threat actor to whom the described activity is 876 attributed. 878 Campaign 879 One or more. The campaign of a given threat actor to whom the 880 described activity is attributed. 882 Confidence 883 Zero or one. An estimate of the confidence in attributing this 884 RelatedActivity to the event described in the document. 886 Description 887 Zero or more. ML_STRING. A description of how these 888 relationships were derived. 890 AdditionalData 891 Zero or more. A mechanism by which to extend the data model. 893 RelatedActivity MUST at least have one instance of IncidentID, URL, 894 ThreatActor, or Campaign. 896 The RelatedActivity class has one attribute: 898 restriction 899 Optional. ENUM. See Section 3.3.1. 901 3.7. ThreatActor Class 903 The ThreatActor class describes a given actor. 905 +------------------+ 906 | Actor | 907 +------------------+ 908 | ENUM restriction |<>--{0..1}--[ ThreatActorID ] 909 | |<>--{0..*}--[ Description ] 910 | |<>--{0..*}--[ AdditionalData ] 911 +------------------+ 913 Figure 6: ThreatActor Class 915 The aggregate classes that constitutes ThreatActor are: 917 ThreatActorID 918 One or more. STRING. An identifier for the ThreatActor. 920 Description 921 One or more. ML_STRING. A description of the ThreatActor. 923 AdditionalData 924 Zero or more. A mechanism by which to extend the data model. 926 ThreatActor MUST have at least one instance of a ThreatActorID or 927 Description. 929 The ThreatActor class has one attribute: 931 restriction 932 Optional. ENUM. See Section 3.3.1. 934 3.8. Campaign Class 936 The Campaign class describes a ... 938 +------------------+ 939 | Campaign | 940 +------------------+ 941 | ENUM restriction |<>--{0..1}--[ CampaignID ] 942 | |<>--{0..*}--[ Description ] 943 | |<>--{0..*}--[ AdditionalData ] 944 +------------------+ 946 Figure 7: Campaign Class 948 The aggregate classes that constitutes Campaign are: 950 CampaignID 951 One or more. STRING. An identifier for the Campaign. 953 Description 954 One or more. ML_STRING. A description of the Campaign. 956 AdditionalData 957 Zero or more. A mechanism by which to extend the data model. 959 Campaign MUST have at least one instance of a Campaign or 960 Description. 962 The Campaign class has one attribute: 964 restriction 965 Optional. ENUM. See Section 3.3.1. 967 3.9. AdditionalData Class 969 The AdditionalData class serves as an extension mechanism for 970 information not otherwise represented in the data model. For 971 relatively simple information, atomic data types (e.g., integers, 972 strings) are provided with a mechanism to annotate their meaning. 973 The class can also be used to extend the data model (and the 974 associated Schema) to support proprietary extensions by encapsulating 975 entire XML documents conforming to another Schema. A detailed 976 discussion for extending the data model and the schema can be found 977 in Section 5. 979 Unlike XML, which is self-describing, atomic data must be documented 980 to convey its meaning. This information is described in the 981 'meaning' attribute. Since these description are outside the scope 982 of the specification, some additional coordination may be required to 983 ensure that a recipient of a document using the AdditionalData 984 classes can make sense of the custom extensions. 986 +------------------+ 987 | AdditionalData | 988 +------------------+ 989 | ANY | 990 | | 991 | ENUM dtype | 992 | STRING meaning | 993 | STRING formatid | 994 | ENUM restriction | 995 +------------------+ 997 Figure 8: The AdditionalData Class 999 The AdditionalData class has four attributes: 1001 dtype 1002 Required. ENUM. The data type of the element content. The 1003 permitted values for this attribute are shown below. The default 1004 value is "string". These values are maintained in the 1005 "AdditionalData-dtype" IANA registry per Table 1. 1007 1. boolean. The element content is of type BOOLEAN. 1009 2. byte. The element content is of type BYTE. 1011 3. bytes. The element content is of type HEXBIN. 1013 4. character. The element content is of type CHARACTER. 1015 5. date-time. The element content is of type DATETIME. 1017 6. ntpstamp. Same as date-time. 1019 7. integer. The element content is of type INTEGER. 1021 8. portlist. The element content is of type PORTLIST. 1023 9. real. The element content is of type REAL. 1025 10. string. The element content is of type STRING. 1027 11. file. The element content is a base64 encoded binary file 1028 encoded as a BYTE[] type. 1030 12. path. The element content is a file-system path encoded as a 1031 STRING type. 1033 13. frame. The element content is a layer-2 frame encoded as a 1034 HEXBIN type. 1036 14. packet. The element content is a layer-3 packet encoded as a 1037 HEXBIN type. 1039 15. ipv4-packet. The element content is an IPv4 packet encoded 1040 as a HEXBIN type. 1042 16. ipv6-packet. The element content is an IPv6 packet encoded 1043 as a HEXBIN type. 1045 17. url. The element content is of type URL. 1047 18. csv. The element content is a common separated value (CSV) 1048 list per Section 2 of [RFC4180] encoded as a STRING type. 1050 19. winreg. The element content is a Windows registry key 1051 encoded as a STRING type. 1053 20. xml. The element content is XML. See Section 5. 1055 meaning 1056 Optional. STRING. A free-form description of the element 1057 content. 1059 formatid 1060 Optional. STRING. An identifier referencing the format and 1061 semantics of the element content. 1063 restriction 1064 Optional. ENUM. See Section 3.3.1. 1066 3.10. Contact Class 1068 The Contact class describes contact information for organizations and 1069 personnel involved in the incident. This class allows for the naming 1070 of the involved party, specifying contact information for them, and 1071 identifying their role in the incident. 1073 People and organizations are treated interchangeably as contacts; one 1074 can be associated with the other using the recursive definition of 1075 the class (the Contact class is aggregated into the Contact class). 1076 The 'type' attribute disambiguates the type of contact information 1077 being provided. 1079 The inheriting definition of Contact provides a way to relate 1080 information without requiring the explicit use of identifiers in the 1081 classes or duplication of data. A complete point of contact is 1082 derived by a particular traversal from the root Contact class to the 1083 leaf Contact class. As such, multiple points of contact might be 1084 specified in a single instance of a Contact class. Each child 1085 Contact class logically inherits contact information from its 1086 ancestors. 1088 +------------------+ 1089 | Contact | 1090 +------------------+ 1091 | ENUM role |<>--{0..1}--[ ContactName ] 1092 | ENUM type |<>--{0..1}--[ ContactTitle ] 1093 | ENUM restriction |<>--{0..*}--[ Description ] 1094 | |<>--{0..*}--[ RegistryHandle ] 1095 | |<>--{0..1}--[ PostalAddress ] 1096 | |<>--{0..*}--[ Email ] 1097 | |<>--{0..*}--[ Telephone ] 1098 | |<>--{0..1}--[ Fax ] 1099 | |<>--{0..1}--[ Timezone ] 1100 | |<>--{0..*}--[ Contact ] 1101 | |<>--{0..*}--[ AdditionalData ] 1102 +------------------+ 1104 Figure 9: The Contact Class 1106 The aggregate classes that constitute the Contact class are: 1108 ContactName 1109 Zero or one. ML_STRING. The name of the contact. The contact 1110 may either be an organization or a person. The type attribute 1111 disambiguates the semantics. 1113 ContactTitle 1114 Zero or one. ML_STRING. The title for the individual named in 1115 the ContactName. 1117 Description 1118 Zero or more. ML_STRING. A free-form description of this 1119 contact. In the case of a person, this is often the 1120 organizational title of the individual. 1122 RegistryHandle 1123 Zero or more. A handle name into the registry of the contact. 1125 PostalAddress 1126 Zero or one. The postal address of the contact. 1128 Email 1129 Zero or more. The email address of the contact. 1131 Telephone 1132 Zero or more. The telephone number of the contact. 1134 Fax 1135 Zero or one. The facsimile telephone number of the contact. 1137 Timezone 1138 Zero or one. TIMEZONE. The timezone in which the contact resides 1139 formatted according to Section 2.9. 1141 Contact 1142 Zero or more. A Contact instance contained within another Contact 1143 instance inherits the values of the parent(s). This recursive 1144 definition can be used to group common data pertaining to multiple 1145 points of contact and is especially useful when listing multiple 1146 contacts at the same organization. 1148 AdditionalData 1149 Zero or more. A mechanism by which to extend the data model. 1151 At least one of the aggregate classes MUST be present in an instance 1152 of the Contact class. This is not enforced in the IODEF schema as 1153 there is no simple way to accomplish it. 1155 The Contact class has three attributes: 1157 role 1158 Required. ENUM. Indicates the role the contact fulfills. This 1159 attribute is defined as an enumerated list. These values are 1160 maintained in the "Contact-role" IANA registry per Table 1. 1162 1. creator. The entity that generate the document. 1164 2. reporter. The entity that reported the information. 1166 3. admin. An administrative contact or business owner for an 1167 asset or organization. 1169 4. tech. An entity responsible for the day-to-day management of 1170 technical issues for an asset or organization. 1172 5. provider. An external hosting provider for an asset. 1174 6. zone. An entity with authority over a DNS zone. 1176 7. user. An end-user of an asset or part of an organization. 1178 8. billing. An entity responsible for billing issues for an 1179 asset or organization. 1181 9. legal. An entity responsible for legal issue related to an 1182 asset or organization. 1184 10. irt. An entity responsible for handling security issues for 1185 an asset or organization. 1187 11. abuse. An entity responsible for handling abuse originating 1188 from an asset or organization. 1190 12. cc. An entity that is to be kept informed about the events 1191 related to an asset or organization. 1193 13. cc-irt. A CSIRT or information sharing organization 1194 coordinating activity related to an asset or organization. 1196 14. leo. A law enforcement organization supporting the 1197 investigation of activity affecting an asset or organization. 1199 15. vendor. The vendor that produces an asset. 1201 16. vendor-support. A vendor that provides services. 1203 17. victim. A victim in the incident. 1205 18. victim-notified. A victim in the incident who has been 1206 notified. 1208 type 1209 Required. ENUM. Indicates the type of contact being described. 1210 This attribute is defined as an enumerated list. These values are 1211 maintained in the "Contact-type" IANA registry per Table 1. 1213 1. person. The information for this contact references an 1214 individual. 1216 2. organization. The information for this contact references an 1217 organization. 1219 restriction 1220 Optional. ENUM. This attribute is defined in Section 3.2. 1222 3.10.1. RegistryHandle Class 1224 The RegistryHandle class represents a handle into an Internet 1225 registry or community-specific database. The handle is specified in 1226 the element content and the type attribute specifies the database. 1228 +---------------------+ 1229 | RegistryHandle | 1230 +---------------------+ 1231 | STRING | 1232 | | 1233 | ENUM registry | 1234 +---------------------+ 1236 Figure 10: The RegistryHandle Class 1238 The RegistryHandle class has one attributes: 1240 registry 1241 Required. ENUM. The database to which the handle belongs. These 1242 values are maintained in the "RegistryHandle-registry" IANA 1243 registry per Table 1. The possible values are: 1245 1. internic. Internet Network Information Center 1247 2. apnic. Asia Pacific Network Information Center 1249 3. arin. American Registry for Internet Numbers 1251 4. lacnic. Latin-American and Caribbean IP Address Registry 1253 5. ripe. Reseaux IP Europeens 1255 6. afrinic. African Internet Numbers Registry 1257 7. local. A database local to the CSIRT 1259 3.10.2. PostalAddress Class 1261 The PostalAddress class specifies a postal address formatted 1262 according to the POSTAL data type (Section 2.11). 1264 +---------------------+ 1265 | PostalAddress | 1266 +---------------------+ 1267 | POSTAL | 1268 | | 1269 | STRING meaning | 1270 | ENUM lang | 1271 +---------------------+ 1273 Figure 11: The PostalAddress Class 1275 The PostalAddress class has two attributes: 1277 meaning 1278 Optional. STRING. A free-form description of the element 1279 content. 1281 lang 1282 Optional. ENUM. A valid language code per [RFC5646] constrained 1283 by the definition of "xs:language". The interpretation of this 1284 code is described in Section 6. 1286 3.10.3. Email Class 1288 The Email class specifies an email address formatted according to 1289 EMAIL data type (Section 2.14). 1291 +--------------+ 1292 | Email | 1293 +--------------+ 1294 | EMAIL | 1295 | | 1296 | ENUM meaning | 1297 +--------------+ 1299 Figure 12: The Email Class 1301 The Email class has one attribute: 1303 meaning 1304 Optional. ENUM. A free-form description of the element content. 1306 3.10.4. Telephone and Fax Classes 1308 The Telephone and Fax classes specify a voice or fax telephone number 1309 respectively, and are formatted according to PHONE data type 1310 (Section 2.13). 1312 +--------------------+ 1313 | {Telephone | Fax } | 1314 +--------------------+ 1315 | PHONE | 1316 | | 1317 | ENUM meaning | 1318 +--------------------+ 1320 Figure 13: The Telephone and Fax Classes 1322 The Telephone class has one attribute: 1324 meaning 1325 Optional. ENUM. A free-form description of the element content 1326 (e.g., hours of coverage for a given number). 1328 3.11. Time Classes 1330 The data model uses five different classes to represent a timestamp. 1331 Their definition is identical, but each has a distinct name to convey 1332 a difference in semantics. 1334 The element content of each class is a timestamp formatted according 1335 to the DATETIME data type (see Section 2.8). 1337 +----------------------------------+ 1338 | {Start| End| Report| Detect}Time | 1339 +----------------------------------+ 1340 | DATETIME | 1341 +----------------------------------+ 1343 Figure 14: The Time Classes 1345 3.11.1. StartTime Class 1347 The StartTime class represents the time the incident began. 1349 3.11.2. EndTime Class 1351 The EndTime class represents the time the incident ended. 1353 3.11.3. DetectTime Class 1355 The DetectTime class represents the time the first activity of the 1356 incident was detected. 1358 3.11.4. ReportTime Class 1360 The ReportTime class represents the time the incident was reported. 1361 This timestamp MUST be the time at which the IODEF document was 1362 generated. 1364 3.11.5. DateTime 1366 The DateTime class is a generic representation of a timestamp. Infer 1367 its semantics from the parent class in which it is aggregated. 1369 3.12. Discovery Class 1371 The Discovery class describes how an incident was detected. 1373 +-------------------+ 1374 | Discovery | 1375 +-------------------+ 1376 | ENUM source |<>--{0..*}--[ Description ] 1377 | ENUM restriction |<>--{0..*}--[ Contact ] 1378 | |<>--{0..*}--[ DetectionPattern ] 1379 +-------------------+ 1381 Figure 15: The Discovery Class 1383 The Discovery class is composed of three aggregate classes. 1385 Description 1386 Zero or more. ML_STRING. A free-form text description of how 1387 this incident was detected. 1389 Contact 1390 Zero or more. Contact information for the party that discovered 1391 the incident. 1393 DetectionPattern 1394 Zero or more. Describes an application-specific configuration 1395 that detected the incident. 1397 The Discovery class has two attribute: 1399 source 1400 Optional. ENUM. Categorizes the techniques used to discover the 1401 incident. These values are partially derived from Table 3-1 of 1402 [NIST800.61rev2]. These values are maintained in the "Discovery- 1403 source" IANA registry per Table 1. 1405 1. nidps. Network Intrusion Detection or Prevention system. 1407 2. hips. Host-based Intrusion Prevention system. 1409 3. siem. Security Information and Event Management System. 1411 4. av. Antivirus or and antispam software. 1413 5. third-party-monitoring. Contracted third-party monitoring 1414 service. 1416 6. incident. The activity was discovered while investigating an 1417 unrelated incident. 1419 7. os-log. Operating system logs. 1421 8. application-log. Application logs. 1423 9. device-log. Network device logs. 1425 10. network-flow. Network flow analysis. 1427 11. passive-dns. Passive DNS analysis. 1429 12. investigation. Manual investigation initiated based on 1430 notification of a new vulnerability or exploit. 1432 13. audit. Security audit. 1434 14. internal-notification. A party within the organization 1435 reported the activity 1437 15. external-notification. A party outside of the organization 1438 reported the activity. 1440 16. leo. A law enforcement organization notified the victim 1441 organization. 1443 17. partner. A customer or business partner reported the 1444 activity to the victim organization. 1446 18. actor. The threat actor directly or indirectly reported this 1447 activity to the victim organization. 1449 19. unknown. Unknown detection approach. 1451 restriction 1452 Optional. ENUM. This attribute is defined in Section 3.2. 1454 3.12.1. DetectionPattern Class 1456 The DetectionPattern class describes a configuration or signature 1457 that can be used by an IDS/IPS, SIEM, anti-virus, end-point 1458 protection, network analysis, malware analysis, or host forensics 1459 tool to identify a particular phenomenon. This class requires the 1460 identification of the target application and allows the configuration 1461 to be describes in either free-form or machine readable form. 1463 +------------------+ 1464 | DetectionPattern | 1465 +------------------+ 1466 | ENUM restriction |<>----------[ Application ] 1467 | |<>--{0..*}--[ Description ] 1468 | |<>--{0..*}--[ DetectionConfiguration ] 1469 +------------------+ 1471 Figure 16: The DetectionPattern Class 1473 The DetectionPattern class is composed of three aggregate classes. 1475 Application 1476 . One. The application for which the DetectionConfiguration or 1477 Description is being provided. 1479 Description 1480 Zero or more. ML_STRING. A free-form text description of how to 1481 use the Application or provided DetectionConfiguration. 1483 DetectionConfiguration 1484 Zero or more. STRING. A machine consumable configuration to find 1485 a pattern of activity. 1487 Either an instance of the Description or DetectionConfiguration class 1488 MUST be present. 1490 The Method class has one attribute: 1492 restriction 1493 Optional. ENUM. This attribute is defined in Section 3.2. 1495 3.13. Method Class 1497 The Method class describes the tactics, techniques, or procedures 1498 used by the intruder in the incident. This class consists of both a 1499 list of references describing the attack method and a free form 1500 description. 1502 +------------------+ 1503 | Method | 1504 +------------------+ 1505 | ENUM restriction |<>--{0..*}--[ enum:Reference ] 1506 | |<>--{0..*}--[ Description ] 1507 | |<>--{0..*}--[ AdditionalData ] 1508 +------------------+ 1510 Figure 17: The Method Class 1512 The Method class is composed of three aggregate classes. 1514 enum:Reference 1515 Zero or more. A reference to a vulnerability, malware sample, 1516 advisory, or analysis of an attack technique per [RFC-ENUM]. 1518 Description 1519 Zero or more. ML_STRING. A free-form text description of 1520 techniques, tactics, or procedures used by the intruder. 1522 AdditionalData 1523 Zero or more. A mechanism by which to extend the data model. 1525 Either an instance of the Reference or Description class MUST be 1526 present. 1528 The Method class has one attribute: 1530 restriction 1531 Optional. ENUM. This attribute is defined in Section 3.2. 1533 3.14. Assessment Class 1535 The Assessment class describes the repercussions of the incident to 1536 the victim. 1538 +-------------------------+ 1539 | Assessment | 1540 +-------------------------+ 1541 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ] 1542 | ENUM restriction |<>--{0..*}--[ SystemImpact ] 1543 | ID observable-id |<>--{0..*}--[ BusinessImpact ] 1544 | |<>--{0..*}--[ TimeImpact ] 1545 | |<>--{0..*}--[ MonetaryImpact ] 1546 | |<>--{0..*}--[ IntendedImpact ] 1547 | |<>--{0..*}--[ Counter ] 1548 | |<>--{0..*}--[ MitigatingFactor ] 1549 | |<>--{0..1}--[ Confidence ] 1550 | |<>--{0..*}--[ AdditionalData ] 1551 +-------------------------+ 1553 Figure 18: Assessment Class 1555 The aggregate classes that constitute Assessment are: 1557 IncidentCategory 1558 Zero or more. ML_STRING. A free-form text description 1559 categorizing the type of Incident. 1561 SystemImpact 1562 Zero or more. Technical characterization of the impact of the 1563 activity on the victim's enterprise. 1565 BusinessImpact 1566 Zero or more. Impact of the activity on the business functions of 1567 the victim organization. 1569 TimeImpact 1570 Zero or more. Impact of the activity measured with respect to 1571 time. 1573 MonetaryImpact 1574 Zero or more. Impact of the activity measured with respect to 1575 financial loss. 1577 IntendedImpact 1578 Zero or more. Intended impact to the victim by the attacker. 1579 Identically defined as Section 3.14.2 but describes intent rather 1580 than the realized impact. 1582 Counter 1583 Zero or more. A counter with which to summarize the magnitude of 1584 the activity. 1586 MitigatingFactor 1587 Zero or one. ML_STRING. A description of a mitigating factor an 1588 impact. 1590 Confidence 1591 Zero or one. An estimate of confidence in the assessment. 1593 AdditionalData 1594 Zero or more. A mechanism by which to extend the data model. 1596 A least one instance of the possible three impact classes (i.e., 1597 Impact, TimeImpact, or MonetaryImpact) MUST be present. 1599 The Assessment class has three attributes: 1601 occurrence 1602 Optional. ENUM. Specifies whether the assessment is describing 1603 actual or potential outcomes. 1605 1. actual. This assessment describes activity that has occurred. 1607 2. potential. This assessment describes potential activity that 1608 might occur. 1610 restriction 1611 Optional. ENUM. This attribute is defined in Section 3.2. 1613 observable-id 1614 Optional. ID. See Section 3.3.2. 1616 3.14.1. SystemImpact Class 1618 The SystemImpact class describes the technical impact of the incident 1619 to the systems on the network. 1621 This class is based on [RFC4765]. 1623 +------------------+ 1624 | SystemImpact | 1625 +------------------+ 1626 | ML_STRING | 1627 | | 1628 | ENUM lang | 1629 | ENUM severity | 1630 | ENUM completion | 1631 | ENUM type | 1632 +------------------+ 1634 Figure 19: SystemImpact Class 1636 The element content will be a free-form textual description of the 1637 impact. 1639 The SystemImpact class has four attributes: 1641 lang 1642 Optional. ENUM. A valid language code per [RFC5646] constrained 1643 by the definition of "xs:language". The interpretation of this 1644 code is described in Section 6. 1646 severity 1647 Optional. ENUM. An estimate of the relative severity of the 1648 activity. The permitted values are shown below. There is no 1649 default value. 1651 1. low. Low severity 1653 2. medium. Medium severity 1655 3. high. High severity 1657 completion 1658 Optional. ENUM. An indication whether the described activity was 1659 successful. The permitted values are shown below. There is no 1660 default value. 1662 1. failed. The attempted activity was not successful. 1664 2. succeeded. The attempted activity succeeded. 1666 type 1667 Required. ENUM. Classifies the impact. The permitted values are 1668 shown below. The default value is "unknown". These values are 1669 maintained in the "SystemImpact-type" IANA registry per Table 1. 1671 1. takeover-account. Control was taken of a given account 1672 (e.g., a social media account). 1674 2. takeover-service. Control was taken of a given service. 1676 3. takeover-system. Control was taken of a given system. 1678 4. cps-manipulation. A cyber physical system was manipulated. 1680 5. cps-damage. A cyber physical system was damaged. 1682 6. availability-data. Access to particular data was degraded or 1683 denied. 1685 7. availability-account. Access to an account was degraded or 1686 denied. 1688 8. availability-service. Access to a service was degraded or 1689 denied. 1691 9. availability-system. Access to a system was degraded or 1692 denied. 1694 10. damaged-system. Hardware on a system was irreparably 1695 damaged. 1697 11. damaged-data. Data on a system was deleted. 1699 12. breach-proprietary. Sensitive or proprietary information was 1700 accessed or exfiltrated. 1702 13. breach-privacy. Personally identifiable information was 1703 accessed or exfiltrated. 1705 14. breach-credential. Credential information was accessed or 1706 exfiltrated. 1708 15. breach-configuration. System configuration or data inventory 1709 was access or exfiltrated. 1711 16. integrity-data. Data on the system was modified. 1713 17. integrity-configuration. Application or system configuration 1714 was modified. 1716 18. integrity-hardware. Firmware of a hardware component was 1717 modified. 1719 19. traffic-redirection. Network traffic on the system was 1720 redirected 1722 20. monitoring-traffic. Network traffic emerging from a host was 1723 monitored. 1725 21. monitoring-host. System activity (e.g., running processes, 1726 keystrokes) were monitored. 1728 22. policy. Activity violated the system owner's acceptable use 1729 policy. 1731 23. unknown. The impact is unknown. 1733 3.14.2. BusinessImpact Class 1735 The BusinessImpact class describes and characterizes the degree to 1736 which the function of the organization was impacted by the Incident. 1738 The element body describes the impact to the organization as a free- 1739 form text string. The two attributes characterize the impact. 1741 +-------------------------+ 1742 | BusinessImpact | 1743 +-------------------------+ 1744 | ML_STRING | 1745 | | 1746 | ENUM severity | 1747 | ENUM type | 1748 +-------------------------+ 1750 Figure 20: BusinessImpact Class 1752 The element content will be a free-form textual description of the 1753 impact to the organization. 1755 The BusinessImpact class has two attributes: 1757 severity 1758 Optional. ENUM. Characterizes the severity of the incident on 1759 business functions. The permitted values are shown below. They 1760 were derived from Table 3-2 of [NIST800.61rev2]. The default 1761 value is "unknown". These values are maintained in the 1762 "BusinessImpact-severity" IANA registry per Table 1. 1764 1. none. No effect to the organization's ability to provide all 1765 services to all users. 1767 2. low. Minimal effect as the organization can still provide all 1768 critical services to all users but has lost efficiency. 1770 3. medium. The organization has lost the ability to provide a 1771 critical service to a subset of system users. 1773 4. high. The organization is no longer able to provide some 1774 critical services to any users. 1776 5. unknown. The impact is not known. 1778 type 1779 Required. ENUM. Characterizes the effect this incident had on 1780 the business. The permitted values are shown below. There is no 1781 default value. These values are maintained in the 1782 "BusinessImpact-type" IANA registry per Table 1. 1784 1. breach-proprietary. Sensitive or proprietary information was 1785 accessed or exfiltrated. 1787 2. breach-privacy. Personally identifiable information was 1788 accessed or exfiltrated. 1790 3. breach-credential. Credential information was accessed or 1791 exfiltrated. 1793 4. loss-of-integrity. Sensitive or proprietary information was 1794 changed or deleted. 1796 5. loss-of-service. Service delivery was disrupted. 1798 6. theft-financial. Money was stolen. 1800 7. theft-service. Services were misappropriated. 1802 8. degraded-reputation. The reputation of the organization's 1803 brand was diminished. 1805 9. asset-damage. A cyber-physical system was damaged. 1807 10. asset-manipulation. A cyber-physical system was manipulated. 1809 11. legal. The incident resulted in legal or regulatory action. 1811 12. extortion. The incident resulted in actors extorting the 1812 victim organization. 1814 3.14.3. TimeImpact Class 1816 The TimeImpact class describes the impact of the incident on an 1817 organization as a function of time. It provides a way to convey down 1818 time and recovery time. 1820 +---------------------+ 1821 | TimeImpact | 1822 +---------------------+ 1823 | REAL | 1824 | | 1825 | ENUM severity | 1826 | ENUM metric | 1827 | ENUM duration | 1828 +---------------------+ 1830 Figure 21: TimeImpact Class 1832 The element content is a positive, floating point (REAL) number 1833 specifying a unit of time. The duration and metric attributes will 1834 imply the semantics of the element content. 1836 The TimeImpact class has three attributes: 1838 severity 1839 Optional. ENUM. An estimate of the relative severity of the 1840 activity. The permitted values are shown below. There is no 1841 default value. 1843 1. low. Low severity 1845 2. medium. Medium severity 1846 3. high. High severity 1848 metric 1849 Required. ENUM. Defines the metric in which the time is 1850 expressed. The permitted values are shown below. There is no 1851 default value. These values are maintained in the "TimeImpact- 1852 metric" IANA registry per Table 1. 1854 1. labor. Total staff-time to recovery from the activity (e.g., 1855 2 employees working 4 hours each would be 8 hours). 1857 2. elapsed. Elapsed time from the beginning of the recovery to 1858 its completion (i.e., wall-clock time). 1860 3. downtime. Duration of time for which some provided service(s) 1861 was not available. 1863 duration 1864 Optional. ENUM. Defines a unit of time, that when combined with 1865 the metric attribute, fully describes a metric of impact that will 1866 be conveyed in the element content. The permitted values are 1867 shown below. The default value is "hour". These values are 1868 maintained in the "TimeImpact-duration" IANA registry per Table 1. 1870 1. second. The unit of the element content is seconds. 1872 2. minute. The unit of the element content is minutes. 1874 3. hour. The unit of the element content is hours. 1876 4. day. The unit of the element content is days. 1878 5. month. The unit of the element content is months. 1880 6. quarter. The unit of the element content is quarters. 1882 7. year. The unit of the element content is years. 1884 3.14.4. MonetaryImpact Class 1886 The MonetaryImpact class describes the financial impact of the 1887 activity on an organization. For example, this impact may consider 1888 losses due to the cost of the investigation or recovery, diminished 1889 productivity of the staff, or a tarnished reputation that will affect 1890 future opportunities. 1892 +------------------+ 1893 | MonetaryImpact | 1894 +------------------+ 1895 | REAL | 1896 | | 1897 | ENUM severity | 1898 | STRING currency | 1899 +------------------+ 1901 Figure 22: MonetaryImpact Class 1903 The element content is a positive, floating point number (REAL) 1904 specifying a unit of currency described in the currency attribute. 1906 The MonetaryImpact class has two attributes: 1908 severity 1909 Optional. ENUM. An estimate of the relative severity of the 1910 activity. The permitted values are shown below. There is no 1911 default value. 1913 1. low. Low severity 1915 2. medium. Medium severity 1917 3. high. High severity 1919 currency 1920 Optional. STRING. Defines the currency in which the monetary 1921 impact is expressed. The permitted values are defined in "Codes 1922 for the representation of currencies and funds" of [ISO4217]. 1923 There is no default value. 1925 3.14.5. Confidence Class 1927 The Confidence class represents a best estimate of the validity and 1928 accuracy of the described impact (see Section 3.14) of the incident 1929 activity. This estimate can be expressed as a category or a numeric 1930 calculation. 1932 This class if based upon [RFC4765]. 1934 +------------------+ 1935 | Confidence | 1936 +------------------+ 1937 | REAL | 1938 | | 1939 | ENUM rating | 1940 +------------------+ 1942 Figure 23: Confidence Class 1944 The element content expresses a numerical assessment in the 1945 confidence of the data when the value of the rating attribute is 1946 "numeric". Otherwise, this element MUST be empty. 1948 The Confidence class has one attribute. 1950 rating 1951 Required. ENUM. A rating of the analytical validity of the 1952 specified Assessment. The permitted values are shown below. 1953 There is no default value. 1955 1. low. Low confidence in the validity. 1957 2. medium. Medium confidence in the validity. 1959 3. high. High confidence in the validity. 1961 4. numeric. The element content contains a number that conveys 1962 the confidence of the data. The semantics of this number 1963 outside the scope of this specification. 1965 5. unknown. The confidence rating value is not known. 1967 3.15. History Class 1969 The History class is a log of the significant events or actions 1970 performed by the involved parties during the course of handling the 1971 incident. 1973 The level of detail maintained in this log is left up to the 1974 discretion of those handling the incident. 1976 +------------------+ 1977 | History | 1978 +------------------+ 1979 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 1980 | | 1981 +------------------+ 1983 Figure 24: The History Class 1985 The class that constitutes History is: 1987 HistoryItem 1988 One or many. Entry in the history log of significant events or 1989 actions performed by the involved parties. 1991 The History class has one attribute: 1993 restriction 1994 Optional. ENUM. This attribute is defined in Section 3.2. The 1995 default value is "default". 1997 3.15.1. HistoryItem Class 1999 The HistoryItem class is an entry in the History (Section 3.15) log 2000 that documents a particular action or event that occurred in the 2001 course of handling the incident. The details of the entry are a 2002 free-form description, but each can be categorized with the type 2003 attribute. 2005 +-------------------------+ 2006 | HistoryItem | 2007 +-------------------------+ 2008 | ENUM restriction |<>----------[ DateTime ] 2009 | ENUM action |<>--{0..1}--[ IncidentId ] 2010 | ID observable-id |<>--{0..1}--[ Contact ] 2011 | |<>--{0..*}--[ Description ] 2012 | |<>--{0..*}--[ AdditionalData ] 2013 +-------------------------+ 2015 Figure 25: HistoryItem Class 2017 The aggregate classes that constitute HistoryItem are: 2019 DateTime 2020 One. Timestamp of this entry in the history log (e.g., when the 2021 action described in the Description was taken). 2023 IncidentID 2024 Zero or One. In a history log created by multiple parties, the 2025 IncidentID provides a mechanism to specify which CSIRT created a 2026 particular entry and references this organization's incident 2027 tracking number. When a single organization is maintaining the 2028 log, this class can be ignored. 2030 Contact 2031 Zero or One. Provides contact information for the person that 2032 performed the action documented in this class. 2034 Description 2035 Zero or more. ML_STRING. A free-form textual description of the 2036 action or event. 2038 DefinedCOA 2039 Zero or more. ML_STRING. A unique identifier meaningful to the 2040 sender and recipient of this document that references a course of 2041 action. This class MUST be present if the action attribute is set 2042 to "defined-coa". 2044 AdditionalData 2045 Zero or more. A mechanism by which to extend the data model. 2047 The HistoryItem class has three attributes: 2049 restriction 2050 Optional. ENUM. See Section 3.3.1. 2052 action 2053 Required. ENUM. Classifies a performed action or occurrence 2054 documented in this history log entry. As activity will likely 2055 have been instigated either through a previously conveyed 2056 expectation or internal investigation, this attribute is identical 2057 to the action attribute of the Expectation class. The difference 2058 is only one of tense. When an action is in this class, it has 2059 been completed. See Section 3.17. 2061 observable-id 2062 Optional. ID. See Section 3.3.2. 2064 3.16. EventData Class 2066 The EventData class describes a particular event of the incident for 2067 a given set of hosts or networks. This description includes the 2068 systems from which the activity originated and those targeted, an 2069 assessment of the techniques used by the intruder, the impact of the 2070 activity on the organization, and any forensic evidence discovered. 2072 +-------------------------+ 2073 | EventData | 2074 +-------------------------+ 2075 | ENUM restriction |<>--{0..*}--[ Description ] 2076 | ID observable-id |<>--{0..1}--[ DetectTime ] 2077 | |<>--{0..1}--[ StartTime ] 2078 | |<>--{0..1}--[ EndTime ] 2079 | |<>--{0..1}--[ RecoveryTime ] 2080 | |<>--{0..1}--[ ReportTime ] 2081 | |<>--{0..*}--[ Contact ] 2082 | |<>--{0..*}--[ Discovery ] 2083 | |<>--{0..1}--[ Assessment ] 2084 | |<>--{0..*}--[ Method ] 2085 | |<>--{0..*}--[ Flow ] 2086 | |<>--{0..*}--[ Expectation ] 2087 | |<>--{0..1}--[ Record ] 2088 | |<>--{0..*}--[ EventData ] 2089 | |<>--{0..*}--[ AdditionalData ] 2090 +-------------------------+ 2092 Figure 26: The EventData Class 2094 The aggregate classes that constitute EventData are: 2096 Description 2097 Zero or more. ML_STRING. A free-form textual description of the 2098 event. 2100 DetectTime 2101 Zero or one. The time the event was detected. 2103 StartTime 2104 Zero or one. The time the event started. 2106 EndTime 2107 Zero or one. The time the event ended. 2109 RecoveryTime 2110 Zero or one. The time the site recovered from the event. 2112 ReportTime 2113 One. The time the event was reported. 2115 Contact 2116 Zero or more. Contact information for the parties involved in the 2117 event. 2119 Discovery 2120 Zero or more. The means by which the event was detected. 2122 Assessment 2123 Zero or one. The impact of the event on the target and the 2124 actions taken. 2126 Method 2127 Zero or more. The technique used by the intruder in the event. 2129 Flow 2130 Zero or more. A description of the systems or networks involved. 2132 Expectation 2133 Zero or more. The expected action to be performed by the 2134 recipient for the described event. 2136 Record 2137 Zero or one. Supportive data (e.g., log files) that provides 2138 additional information about the event. 2140 EventData 2141 Zero or more. EventData instances contained within another 2142 EventData instance inherit the values of the parent(s); this 2143 recursive definition can be used to group common data pertaining 2144 to multiple events. When EventData elements are defined 2145 recursively, only the leaf instances (those EventData instances 2146 not containing other EventData instances) represent actual events. 2148 AdditionalData 2149 Zero or more. An extension mechanism for data not explicitly 2150 represented in the data model. 2152 At least one of the aggregate classes MUST be present in an instance 2153 of the EventData class. This is not enforced in the IODEF schema as 2154 there is no simple way to accomplish it. 2156 The EventData class has two attributes: 2158 restriction 2159 Optional. ENUM. This attribute is defined in Section 3.2. The 2160 default value is "default". 2162 observable-id 2163 Optional. ID. See Section 3.3.2. 2165 3.16.1. Relating the Incident and EventData Classes 2167 There is substantial overlap in the Incident and EventData classes. 2168 Nevertheless, the semantics of these classes are quite different. 2169 The Incident class provides summary information about the entire 2170 incident, while the EventData class provides information about the 2171 individual events comprising the incident. In the most common case, 2172 the EventData class will provide more specific information for the 2173 general description provided in the Incident class. However, it may 2174 also be possible that the overall summarized information about the 2175 incident conflicts with some individual information in an EventData 2176 class when there is a substantial composition of various events in 2177 the incident. In such a case, the interpretation of the more 2178 specific EventData MUST supersede the more generic information 2179 provided in Incident. 2181 3.16.2. Cardinality of EventData 2183 The EventData class can be thought of as a container for the 2184 properties of an event in an incident. These properties include: the 2185 hosts involved, impact of the incident activity on the hosts, 2186 forensic logs, etc. With an instance of the EventData class, hosts 2187 (i.e., System class) are grouped around these common properties. 2189 The recursive definition (or instance property inheritance) of the 2190 EventData class (the EventData class is aggregated into the EventData 2191 class) provides a way to relate information without requiring the 2192 explicit use of unique attribute identifiers in the classes or 2193 duplicating information. Instead, the relative depth (nesting) of a 2194 class is used to group (relate) information. 2196 For example, an EventData class might be used to describe two 2197 machines involved in an incident. This description can be achieved 2198 using multiple instances of the Flow class. It happens that there is 2199 a common technical contact (i.e., Contact class) for these two 2200 machines, but the impact (i.e., Assessment class) on them is 2201 different. A depiction of the representation for this situation can 2202 be found in Figure 27. 2204 +------------------+ 2205 | EventData | 2206 +------------------+ 2207 | |<>----[ Contact ] 2208 | | 2209 | |<>----[ EventData ]<>----[ Flow ] 2210 | | [ ]<>----[ Assessment ] 2211 | | 2212 | |<>----[ EventData ]<>----[ Flow ] 2213 | | [ ]<>----[ Assessment ] 2214 +------------------+ 2216 Figure 27: Recursion in the EventData Class 2218 3.17. Expectation Class 2220 The Expectation class conveys to the recipient of the IODEF document 2221 the actions the sender is requesting. The scope of the requested 2222 action is limited to purview of the EventData class in which this 2223 class is aggregated. 2225 +-------------------------+ 2226 | Expectation | 2227 +-------------------------+ 2228 | ENUM restriction |<>--{0..*}--[ Description ] 2229 | ENUM severity |<>--{0..*}--[ DefinedCOA ] 2230 | ENUM action |<>--{0..1}--[ StartTime ] 2231 | ID observable-id |<>--{0..1}--[ EndTime ] 2232 | |<>--{0..1}--[ Contact ] 2233 +-------------------------+ 2235 Figure 28: The Expectation Class 2237 The aggregate classes that constitute Expectation are: 2239 Description 2240 Zero or more. ML_STRING. A free-form description of the desired 2241 action(s). 2243 DefinedCOA 2244 Zero or more. ML_STRING. A unique identifier meaningful to the 2245 sender and recipient of this document that references a course of 2246 action. This class MUST be present if the action attribute is set 2247 to "defined-coa". 2249 StartTime 2250 Zero or one. The time at which the sender would like the action 2251 performed. A timestamp that is earlier than the ReportTime 2252 specified in the Incident class denotes that the sender would like 2253 the action performed as soon as possible. The absence of this 2254 element indicates no expectations of when the recipient would like 2255 the action performed. 2257 EndTime 2258 Zero or one. The time by which the sender expects the recipient 2259 to complete the action. If the recipient cannot complete the 2260 action before EndTime, the recipient MUST NOT carry out the 2261 action. Because of transit delays, clock drift, and so on, the 2262 sender MUST be prepared for the recipient to have carried out the 2263 action, even if it completes past EndTime. 2265 Contact 2266 Zero or one. The expected actor for the action. 2268 The Expectations class has four attributes: 2270 restriction 2271 Optional. ENUM. This attribute is defined in Section 3.2. The 2272 default value is "default". 2274 severity 2275 Optional. ENUM. Indicates the desired priority of the action. 2276 This attribute is an enumerated list with no default value, and 2277 the semantics of these relative measures are context dependent. 2279 1. low. Low priority 2281 2. medium. Medium priority 2283 3. high. High priority 2285 action 2286 Optional. ENUM. Classifies the type of action requested. This 2287 attribute is an enumerated list with a default value of "other". 2288 These values are maintained in the "Expectation-action" IANA 2289 registry per Table 1. 2291 1. nothing. No action is requested. Do nothing with the 2292 information. 2294 2. contact-source-site. Contact the site(s) identified as the 2295 source of the activity. 2297 3. contact-target-site. Contact the site(s) identified as the 2298 target of the activity. 2300 4. contact-sender. Contact the originator of the document. 2302 5. investigate. Investigate the systems(s) listed in the event. 2304 6. block-host. Block traffic from the machine(s) listed as 2305 sources the event. 2307 7. block-network. Block traffic from the network(s) lists as 2308 sources in the event. 2310 8. block-port. Block the port listed as sources in the event. 2312 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2313 listed as sources in the event. 2315 10. rate-limit-network. Rate-limit the traffic from the 2316 network(s) lists as sources in the event. 2318 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2319 the event. 2321 12. redirect-traffic. Redirect traffic from intended recipient 2322 for further analysis. 2324 13. honeypot. Redirect traffic to a honeypot for further 2325 analysis. 2327 14. upgrade-software. Upgrade or patch the software or firmware 2328 on an asset. 2330 15. rebuild-asset. Reinstall the operating system or 2331 applications on an asset. 2333 16. harden-asset. Change the configuration an asset (e.g., 2334 reduce the number of services or user accounts) to reduce the 2335 attack surface. 2337 17. remediate-other. Remediate the activity in a way other than 2338 by rate limiting or blocking. 2340 18. status-triage. Conveys receipts and the triaging of an 2341 incident. 2343 19. status-new-info. Conveys that new information was received 2344 for this incident. 2346 20. watch-and-report. Watch for the described activity and share 2347 if seen. 2349 21. training. Train user to identify or mitigate a threat. 2351 22. defined-coa. Perform a predefined course of action (COA). 2352 The COA is named in the DefinedCOA class. 2354 23. other. Perform some custom action described in the 2355 Description class. 2357 observable-id 2358 Optional. ID. See Section 3.3.2. 2360 3.18. Flow Class 2362 The Flow class groups related the source and target hosts. 2364 +------------------+ 2365 | Flow | 2366 +------------------+ 2367 | |<>--{1..*}--[ System ] 2368 +------------------+ 2370 Figure 29: The Flow Class 2372 The aggregate class that constitutes Flow is: 2374 System 2375 One or More. A host or network involved in an event. 2377 The Flow class has no attributes. 2379 3.19. System Class 2381 The System class describes a system or network involved in an event. 2382 The systems or networks represented by this class are categorized 2383 according to the role they played in the incident through the 2384 category attribute. The value of this category attribute dictates 2385 the semantics of the aggregated classes in the System class. If the 2386 category attribute has a value of "source", then the aggregated 2387 classes denote the machine and service from which the activity is 2388 originating. With a category attribute value of "target" or 2389 "intermediary", then the machine or service is the one targeted in 2390 the activity. A value of "sensor" dictates that this System was part 2391 of an instrumentation to monitor the network. 2393 +---------------------+ 2394 | System | 2395 +---------------------+ 2396 | ENUM restriction |<>----------[ Node ] 2397 | ENUM category |<>--{0..*}--[ NodeRole ] 2398 | STRING interface |<>--{0..*}--[ Service ] 2399 | ENUM spoofed |<>--{0..*}--[ OperatingSystem ] 2400 | ENUM virtual |<>--{0..*}--[ Counter ] 2401 | ENUM ownership |<>--{0..*}--[ AssetID ] 2402 | |<>--{0..*}--[ Description ] 2403 | |<>--{0..*}--[ AdditionalData ] 2404 +---------------------+ 2406 Figure 30: The System Class 2408 The aggregate classes that constitute System are: 2410 Node 2411 One. A host or network involved in the incident. 2413 NodeRole 2414 Zero or more. The intended purpose of the system. 2416 Service 2417 Zero or more. A network service running on the system. 2419 OperatingSystem 2420 Zero or more. The operating system running on the system. 2422 Counter 2423 Zero or more. A counter with which to summarize properties of 2424 this host or network. 2426 AssetID 2427 Zero or more. An asset identifier for the System. 2429 Description 2430 Zero or more. ML_STRING. A free-form text description of the 2431 System. 2433 AdditionalData 2434 Zero or more. A mechanism by which to extend the data model. 2436 The System class has six attributes: 2438 restriction 2439 Optional. ENUM. This attribute is defined in Section 3.2. 2441 category 2442 Optional. ENUM. Classifies the role the host or network played 2443 in the incident. These values are maintained in the "System- 2444 category" IANA registry per Table 1. The possible values are: 2446 1. source. The System was the source of the event. 2448 2. target. The System was the target of the event. 2450 3. intermediate. The System was an intermediary in the event. 2452 4. sensor. The System was a sensor monitoring the event. 2454 5. infrastructure. The System was an infrastructure node of 2455 IODEF document exchange. 2457 interface 2458 Optional. STRING. Specifies the interface on which the event(s) 2459 on this System originated. If the Node class specifies a network 2460 rather than a host, this attribute has no meaning. 2462 spoofed 2463 Optional. ENUM. An indication of confidence in whether this 2464 System was the true target or attacking host. The permitted 2465 values for this attribute are shown below. The default value is 2466 "unknown". 2468 1. unknown. The accuracy of the category attribute value is 2469 unknown. 2471 2. yes. The category attribute value is probably incorrect. In 2472 the case of a source, the System is likely a decoy; with a 2473 target, the System was likely not the intended victim. 2475 3. no. The category attribute value is believed to be correct. 2477 virtual 2478 Optional. ENUM. Indicates whether this System is a virtual or 2479 physical device. The default value is "unknown". The possible 2480 values are: 2482 1. yes. The System is a virtual device. 2484 2. no. The System is a physical device. 2486 3. unknown. It is not known if the System is virtual. 2488 ownership 2489 Optional. ENUM. Describes the ownership of this System relative 2490 to the sender of the IODEF document. These values are maintained 2491 in the "System-ownership" IANA registry per Table 1. The possible 2492 values are: 2494 1. organization. The System is owned by the organization. 2496 2. personal. The System is owned by employee or affiliate of the 2497 organization. 2499 3. partner. The System is owned by a partner of the 2500 organization. 2502 4. customer. The System is owned by a customer of the 2503 organization. 2505 5. no-relationship. The System is owned by an entity that has no 2506 known relationship with the organization. 2508 6. unknown. The ownership of the System is unknown. 2510 3.20. Node Class 2512 The Node class names an asset or network. 2514 This class was derived from [RFC4765]. 2516 +---------------+ 2517 | Node | 2518 +---------------+ 2519 | |<>--{0..*}--[ DomainData ] 2520 | |<>--{0..*}--[ Address ] 2521 | |<>--{0..1}--[ PostalAddress ] 2522 | |<>--{0..1}--[ Location ] 2523 | |<>--{0..1}--[ DateTime ] 2524 | |<>--{0..*}--[ Counter ] 2525 +---------------+ 2527 Figure 31: The Node Class 2529 The aggregate classes that constitute Node are: 2531 DomainData 2532 Zero or more. The detailed domain (DNS) information associated 2533 with this Node. If an Address is not provided, at least one 2534 DomainData MUST be specified. 2536 Address 2537 Zero or more. The hardware, network, or application address of 2538 the Node. If a DomainData is not provided, at least one Address 2539 MUST be specified. 2541 PostalAddress 2542 Zero or one. The postal address of the asset. 2544 Location 2545 Zero or one. ML_STRING. A free-from description of the physical 2546 location of the Node. This description may provide a more 2547 detailed description of where in the PostalAddress this Node is 2548 found (e.g., room number, rack number, slot number in a chassis). 2550 Counter 2551 Zero or more. A counter with which to summarizes properties of 2552 this host or network. 2554 The Node class has no attributes. 2556 3.20.1. Address Class 2558 The Address class represents a hardware (layer-2), network (layer-3), 2559 or application (layer-7) address. 2561 This class was derived from [RFC4765]. 2563 +-------------------------+ 2564 | Address | 2565 +-------------------------+ 2566 | ENUM category | 2567 | STRING vlan-name | 2568 | INTEGER vlan-num | 2569 | ID observable-id | 2570 +-------------------------+ 2572 Figure 32: The Address Class 2574 The Address class has four attributes: 2576 category 2577 Optional. ENUM. The type of address represented. The permitted 2578 values for this attribute are shown below. The default value is 2579 "ipv4-addr". These values are maintained in the "Address- 2580 category" IANA registry per Table 1. 2582 1. asn. Autonomous System Number 2584 2. atm. Asynchronous Transfer Mode (ATM) address 2585 3. e-mail. Electronic mail address (RFC 822) 2587 4. ipv4-addr. IPv4 host address in dotted-decimal notation 2588 (a.b.c.d) 2590 5. ipv4-net. IPv4 network address in dotted-decimal notation, 2591 slash, significant bits (a.b.c.d/nn) 2593 6. ipv4-net-mask. IPv4 network address in dotted-decimal 2594 notation, slash, network mask in dotted-decimal notation 2595 (a.b.c.d/w.x.y.z) 2597 7. ipv6-addr. IPv6 host address 2599 8. ipv6-net. IPv6 network address, slash, significant bits 2601 9. ipv6-net-mask. IPv6 network address, slash, network mask 2603 10. mac. Media Access Control (MAC) address 2605 11. site-uri. A URL or URI for a resource. 2607 vlan-name 2608 Optional. STRING. The name of the Virtual LAN to which the 2609 address belongs. 2611 vlan-num 2612 Optional. STRING. The number of the Virtual LAN to which the 2613 address belongs. 2615 observable-id 2616 Optional. ID. See Section 3.3.2. 2618 3.20.2. NodeRole Class 2620 The NodeRole class describes the function performed by a particular . 2622 +---------------------+ 2623 | NodeRole | 2624 +---------------------+ 2625 | ENUM category | 2626 | ENUM lang | 2627 +---------------------+ 2629 Figure 33: The NodeRole Class 2631 The NodeRole class has two attributes: 2633 category 2634 Required. ENUM. Functionality provided by a node. These values 2635 are maintained in the "NodeRole-category" IANA registry per 2636 Table 1. 2638 1. client. Client computer 2640 2. client-enterprise. Client computer on the enterprise network 2642 3. client-partner. Client computer on network of a partner 2644 4. client-remote. Client computer remotely connected to the 2645 enterprise network 2647 5. client-kiosk. Client computer is serves as a kiosk 2649 6. client-mobile. Client is a mobile device 2651 7. server-internal. Server with internal services 2653 8. server-public. Server with public services 2655 9. www. WWW server 2657 10. mail. Mail server 2659 11. webmail. Web mail server 2661 12. messaging. Messaging server (e.g., NNTP, IRC, IM) 2663 13. streaming. Streaming-media server 2665 14. voice. Voice server (e.g., SIP, H.323) 2667 15. file. File server (e.g., SMB, CVS, AFS) 2669 16. ftp. FTP server 2671 17. p2p. Peer-to-peer node 2673 18. name. Name server (e.g., DNS, WINS) 2675 19. directory. Directory server (e.g., LDAP, finger, whois) 2677 20. credential. Credential server (e.g., domain controller, 2678 Kerberos) 2680 21. print. Print server 2681 22. application. Application server 2683 23. database. Database server 2685 24. backup. Backup server 2687 25. dhcp. DHCP server 2689 26. assessment. Assessment server (e.g., vulnerability scanner, 2690 end-point assessment) 2692 27. source-control. Source code control server 2694 28. config-management. Configuration management server 2696 29. monitoring. Security monitoring server (e.g., IDS) 2698 30. infra. Infrastructure server (e.g., router, firewall, DHCP) 2700 31. infra-firewall. Firewall 2702 32. infra-router. Router 2704 33. infra-switch. Switch 2706 34. camera. Camera and video system 2708 35. proxy. Proxy server 2710 36. remote-access. Remote access server 2712 37. log. Log server (e.g., syslog) 2714 38. virtualization. Server running virtual machines 2716 39. pos. Point-of-sale device 2718 40. scada. Supervisory control and data acquisition system 2720 41. scada-supervisory. Supervisory system for a SCADA 2722 42. sinkhole. Traffic sinkhole destination 2724 43. honeypot. Honeypot server 2726 44. anonymization. Anonymization server (e.g., Tor node) 2728 45. c2. Malicious command and control server 2729 46. malware-distribution. Server that distributes malware 2731 47. drop-server. Server to which exfiltrated content is 2732 uploaded. 2734 48. hop-point. Intermediary server used to get to a victim. 2736 49. reflector. A system used in a reflector attacker. 2738 50. phishing-site. Site hosting phishing content 2740 51. spear-phishing-site. Site hosting spear-phishing content 2742 52. recruiting-site. Site to recruit 2744 53. fraudulent-site. Fraudulent site. 2746 lang 2747 Optional. ENUM. A valid language code per [RFC5646] constrained 2748 by the definition of "xs:language". The interpretation of this 2749 code is described in Section 6. 2751 3.20.3. Counter Class 2753 The Counter class summarize multiple occurrences of some event, or 2754 conveys counts or rates on various features (e.g., packets, sessions, 2755 events). 2757 The value of the counter is the element content with its units 2758 represented in the type attribute. A rate for a given feature can be 2759 expressed by setting the duration attribute. The complete semantics 2760 are entirely context dependent based on the class in which the 2761 Counter is aggregated. 2763 +---------------------+ 2764 | Counter | 2765 +---------------------+ 2766 | REAL | 2767 | | 2768 | ENUM type | 2769 | STRING meaning | 2770 | ENUM duration | 2771 +---------------------+ 2773 Figure 34: The Counter Class 2775 The Counter class has three attribute: 2777 type 2778 Required. ENUM. Specifies the units of the element content. 2779 These values are maintained in the "Counter-type" IANA registry 2780 per Table 1. 2782 1. byte. Count of bytes. 2784 2. packet. Count of packets. 2786 3. flow. Count of network flow records. 2788 4. session. Count of sessions. 2790 5. alert. Count of notifications generated by another system 2791 (e.g., IDS or SIM). 2793 6. message. Count of messages (e.g., mail messages). 2795 7. event. Count of events. 2797 8. host. Count of hosts. 2799 9. site. Count of site. 2801 10. organization. Count of organizations. 2803 meaning 2804 Optional. STRING. A free-form description of the metric 2805 represented by the Counter. 2807 duration 2808 Optional. ENUM. If present, the Counter class represents a rate 2809 rather than a count over the entire event. In that case, this 2810 attribute specifies the denominator of the rate (where the type 2811 attribute specified the nominator). The possible values of this 2812 attribute are defined in Section 3.14.3 2814 3.21. DomainData Class 2816 The DomainData class describes a domain name and meta-data associated 2817 with this domain. 2819 +--------------------------+ 2820 | DomainData | 2821 +--------------------------+ 2822 | ENUM system-status |<>----------[ Name ] 2823 | ENUM domain-status |<>--{0..1}--[ DateDomainWasChecked ] 2824 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 2825 | ID observable-id |<>--{0..1}--[ ExpirationDate ] 2826 | |<>--{0..*}--[ RelatedDNS ] 2827 | |<>--{0..*}--[ Nameservers ] 2828 | |<>--{0..1}--[ DomainContacts ] 2829 | | 2830 +--------------------------+ 2832 Figure 35: The DomainData Class 2834 The aggregate classes that constitute DomainData are: 2836 Name 2837 One. ML_STRING. The domain name of the Node (e.g., fully 2838 qualified domain name). 2840 DateDomainWasChecked 2841 Zero or one. DATETIME. A timestamp of when the Name was 2842 resolved. 2844 RegistrationDate 2845 Zero or one. DATETIME. A timestamp of when domain listed in Name 2846 was registered. 2848 ExpirationDate 2849 Zero or one. DATETIME. A timestamp of when the domain listed in 2850 Name is set to expire. 2852 RelatedDNS 2853 Zero or more. Additional DNS records associated with this domain. 2855 Nameservers 2856 Zero or more. The name servers identified for the domain listed 2857 in Name. 2859 DomainContacts 2860 Zero or one. Contact information for the domain listed in Name 2861 supplied by the registrar or through a whois query. 2863 The DomainData class has four attribute: 2865 system-status 2866 Required. ENUM. Assesses the domain's involvement in the event. 2867 These values are maintained in the "DomainData-system-status" IANA 2868 registry per Table 1. 2870 1. spoofed. This domain was spoofed. 2872 2. fraudulent. This domain was operated with fraudulent 2873 intentions. 2875 3. innocent-hacked. This domain was compromised by a third 2876 party. 2878 4. innocent-hijacked. This domain was deliberately hijacked. 2880 5. unknown. No categorization for this domain known. 2882 domain-status 2883 Required. ENUM. Categorizes the registry status of the domain at 2884 the time the document was generated. These values and their 2885 associated descriptions are derived from Section 3.2.2 of 2886 [RFC3982]. These values are maintained in the "DomainData-domain- 2887 status" IANA registry per Table 1. 2889 1. reservedDelegation. The domain is permanently inactive. 2891 2. assignedAndActive. The domain is in a normal state. 2893 3. assignedAndInactive. The domain has an assigned registration 2894 but the delegation is inactive. 2896 4. assignedAndOnHold. The domain is under dispute. 2898 5. revoked. The domain is in the process of being purged from 2899 the database. 2901 6. transferPending. The domain is pending a change in 2902 authority. 2904 7. registryLock. The domain is on hold by the registry. 2906 8. registrarLock. Same as "registryLock". 2908 9. other. The domain has a known status but it is not one of 2909 the redefined enumerated values. 2911 10. unknown. The domain has an unknown status. 2913 observable-id 2914 Optional. ID. See Section 3.3.2. 2916 3.21.1. RelatedDNS 2918 The RelatedDNS class describes additional record types associated 2919 with a given domain name. The record type is described in the 2920 record-type attribute and the value of the record is the element 2921 content. ... TODO Issue #39 ... 2923 +----------------------+ 2924 | RelatedDNS | 2925 +----------------------+ 2926 | STRING | 2927 | | 2928 | ENUM record-type | 2929 +----------------------+ 2931 Figure 36: The RelatedDNS Class 2933 The RelatedDNS class has one attribute: 2935 record-type 2936 Required. ENUM. The DNS record type. ... TODO values need to be 2937 listed ... 2939 3.21.2. Nameservers Class 2941 The Nameservers class describes the name servers associated with a 2942 given domain. 2944 +--------------------+ 2945 | Nameservers | 2946 +--------------------+ 2947 | |<>----------[ Server ] 2948 | |<>--{1..*}--[ Address ] 2949 +--------------------+ 2951 Figure 37: The Nameservers Class 2953 The aggregate classes that constitute Nameservers are: 2955 Server 2956 One. ML_STRING. The domain name of the name server. 2958 Address 2959 One or more. The address of the name server. See Section 3.20.1. 2961 3.21.3. DomainContacts Class 2963 The DomainContacts class describes the contact information for a 2964 given domain provided either by the registrar or through a whois 2965 query. 2967 This contact information can be explicitly described through a 2968 Contact class or a reference can be provided to a domain with 2969 identical contact information. Either a single SameDomainContact 2970 MUST be present or one or many Contact classes. 2972 +--------------------+ 2973 | DomainContacts | 2974 +--------------------+ 2975 | |<>--{0..1}--[ SameDomainContact ] 2976 | |<>--{1..*}--[ Contact ] 2977 +--------------------+ 2979 Figure 38: The DomainContacts Class 2981 The aggregate classes that constitute DomainContacts are: 2983 SameDomainContact 2984 Zero or one. ML_STRING. A domain name already cited in this 2985 document or through previous exchange that contains the identical 2986 contact information as the domain name in question. The domain 2987 contact information associated with this domain should be used in 2988 lieu of explicit definition with the Contact class. 2990 Contact 2991 One or more. Contact information for the domain. See 2992 Section 3.10. 2994 3.22. Service Class 2996 The Service class describes a network service of a host or network. 2997 The service is identified by specific port or list of ports, along 2998 with the application listening on that port. 3000 When Service occurs as an aggregate class of a System that is a 3001 source, then this service is the one from which activity of interest 3002 is originating. Conversely, when Service occurs as an aggregate 3003 class of a System that is a target, then that service is the one to 3004 which activity of interest is directed. 3006 This class was derived from [RFC4765]. 3008 +-------------------------+ 3009 | Service | 3010 +-------------------------+ 3011 | INTEGER ip-protocol |<>--{0..1}--[ Port ] 3012 | ID observable-id |<>--{0..1}--[ Portlist ] 3013 | |<>--{0..1}--[ ProtoCode ] 3014 | |<>--{0..1}--[ ProtoType ] 3015 | |<>--{0..1}--[ ProtoField ] 3016 | |<>--{0..*}--[ ApplicationHeader ] 3017 | |<>--{0..1}--[ EmailData ] 3018 | |<>--{0..1}--[ Application ] 3019 +-------------------------+ 3021 Figure 39: The Service Class 3023 The aggregate classes that constitute Service are: 3025 Port 3026 Zero or one. INTEGER. A port number. 3028 Portlist 3029 Zero or one. PORTLIST. A list of port numbers formatted 3030 according to Section 2.10. 3032 ProtoCode 3033 Zero or one. INTEGER. A transport layer (layer 4) protocol- 3034 specific code field (e.g., ICMP code field). 3036 ProtoType 3037 Zero or one. INTEGER. A transport layer (layer 4) protocol 3038 specific type field (e.g., ICMP type field). 3040 ProtoField 3041 Zero or one. INTEGER. A transport layer (layer 4) protocol 3042 specific flag field (e.g., TCP flag field). 3044 ApplicationHeader 3045 Zero or more. An application layer (layer 7) protocol header. 3046 See Section 3.22.1. 3048 EmailData 3049 Zero or one. Headers associated with an email. See Section 3.24. 3051 Application 3052 Zero or one. The application bound to the specified Port or 3053 Portlist. See Section 3.22.2. 3055 Either a Port or Portlist class MUST be specified for a given 3056 instance of a Service class. 3058 When a given System classes with category="source" and another with 3059 category="target" are aggregated into a single Flow class, and each 3060 of these System classes has a Service and Portlist class, an implicit 3061 relationship between these Portlists exists. If N ports are listed 3062 for a System@category="source", and M ports are listed for 3063 System@category="target", the number of ports in N must be equal to 3064 M. Likewise, the ports MUST be listed in an identical sequence such 3065 that the n-th port in the source corresponds to the n-th port of the 3066 target. If N is greater than 1, a given instance of a Flow class 3067 MUST only have a single instance of a System@category="source" and 3068 System@category="target". 3070 The Service class has two attributes: 3072 ip-protocol 3073 Required. INTEGER. The IANA assigned IP protocol number per 3074 [IANA.Protocols]. 3076 observable-id 3077 Optional. ID. See Section 3.3.2. 3079 3.22.1. ApplicationHeader Class 3081 The ApplicationHeader class allows the representation of arbitrary 3082 fields from an application layer protocol header and its 3083 corresponding value. 3085 +--------------------------+ 3086 | ApplicationHeader | 3087 +--------------------------+ 3088 | ANY | 3089 | | 3090 | INTEGER proto | 3091 | STRING field | 3092 | ENUM dtype | 3093 | ID observable-id | 3094 +--------------------------+ 3096 Figure 40: The ApplicationHeader Class 3098 The ApplicationHeader class has four attributes: 3100 proto 3101 Required. INTEGER. The IANA assigned port number per 3102 [IANA.Ports] corresponding to the application layer protocol whose 3103 field will be represented. 3105 field 3106 Required. STRING. The name of the protocol field whose value 3107 will be found in the element body. 3109 dtype 3110 Required. ENUM. The data type of the element content. The 3111 permitted values for this attribute are shown below. The default 3112 value is "string". 3114 1. boolean. The element content is of type BOOLEAN. 3116 2. byte. The element content is of type BYTE. 3118 3. bytes. The element content is of type HEXBIN. 3120 4. character. The element content is of type CHARACTER. 3122 5. date-time. The element content is of type DATETIME. 3124 6. integer. The element content is of type INTEGER. 3126 7. portlist. The element content is of type PORTLIST. 3128 8. real. The element content is of type REAL. 3130 9. string. The element content is of type STRING. 3132 10. file. The element content is a base64 encoded binary file 3133 encoded as a BYTE[] type. 3135 11. path. The element content is a file-system path encoded as a 3136 STRING type. 3138 12. xml. The element content is XML. See Section 5. 3140 observable-id 3141 Optional. ID. See Section 3.3.2. 3143 3.22.2. Application Class 3145 The Application class describes an application running on a System 3146 providing a Service. 3148 +--------------------+ 3149 | Application | 3150 +--------------------+ 3151 | STRING swid |<>--{0..1}--[ URL ] 3152 | STRING configid | 3153 | STRING vendor | 3154 | STRING family | 3155 | STRING name | 3156 | STRING version | 3157 | STRING patch | 3158 +--------------------+ 3160 Figure 41: The Application Class 3162 The aggregate class that constitute Application is: 3164 URL 3165 Zero or one. URL. A URL describing the application. 3167 The Application class has seven attributes: 3169 swid 3170 Optional. STRING. An identifier that can be used to reference 3171 this software, where the default value is "0". 3173 configid 3174 Optional. STRING. An identifier that can be used to reference a 3175 particular configuration of this software, where the default value 3176 is "0". 3178 vendor 3179 Optional. STRING. Vendor name of the software. 3181 family 3182 Optional. STRING. Family of the software. 3184 name 3185 Optional. STRING. Name of the software. 3187 version 3188 Optional. STRING. Version of the software. 3190 patch 3191 Optional. STRING. Patch or service pack level of the software. 3193 3.23. OperatingSystem Class 3195 The OperatingSystem class describes the operating system running on a 3196 System. The definition is identical to the Application class 3197 (Section 3.22.2). 3199 3.24. EmailData Class 3201 The EmailData class describes headers from an email message. Common 3202 headers have dedicated classes, but arbitrary headers can also be 3203 described. 3205 +-------------------------+ 3206 | EmailData | 3207 +-------------------------+ 3208 | ID observable-id |<>--{0..1}--[ EmailFrom ] 3209 | |<>--{0..1}--[ EmailSubject ] 3210 | |<>--{0..1}--[ EmailX-Mailer ] 3211 | |<>--{0..*}--[ EmailHeaderField ] 3212 | |<>--{0..*}--[ HashData ] 3213 | |<>--{0..*}--[ SignatureData ] 3214 +-------------------------+ 3216 Figure 42: EmailData Class 3218 The aggregate class that constitutes EmailData are: 3220 EmailFrom 3221 Zero or one. The value of the "From:" header field in an email. 3222 See Section 3.6.2 of [RFC5322]. 3224 EmailSubject 3225 Zero or one. The value of the "Subject:" header field in an 3226 email. See Section 3.6.4 of [RFC5322]. 3228 EmailX-Mailer 3229 Zero or one. The value of the "X-Mailer:" header field in an 3230 email. 3232 EmailHeaderField 3233 Zero or one. The value of an arbitrary header field in the email. 3234 See Section 3.22.1. The attributes of EmailHeaderField MUST be 3235 set as follows: proto="25" and dtype="string". The name of the 3236 email header field MUST be set in the field attribute. 3238 HashData 3239 Zero or One. Hash(es) associated with this email. 3241 SignatureData 3242 Zero or One. Signature(s) associated with this email. 3244 The EmailData class has one attribute: 3246 observable-id 3247 Optional. ID. See Section 3.3.2. 3249 3.25. Record Class 3251 The Record class is a container class for log and audit data that 3252 provides supportive information about the incident. The source of 3253 this data will often be the output of monitoring tools. These logs 3254 substantiate the activity described in the document. 3256 +------------------+ 3257 | Record | 3258 +------------------+ 3259 | ENUM restriction |<>--{1..*}--[ RecordData ] 3260 +------------------+ 3262 Figure 43: Record Class 3264 The aggregate class that constitutes Record is: 3266 RecordData 3267 One or more. Log or audit data generated by a particular type of 3268 sensor. Separate instances of the RecordData class SHOULD be used 3269 for each sensor type. 3271 The Record class has one attribute: 3273 restriction 3274 Optional. ENUM. This attribute has been defined in Section 3.2. 3276 3.25.1. RecordData Class 3278 The RecordData class groups log or audit data from a given sensor 3279 (e.g., IDS, firewall log) and provides a way to annotate the output. 3281 +-------------------+ 3282 | RecordData | 3283 +-------------------+ 3284 | ENUM restriction |<>--{0..1}--[ DateTime ] 3285 | ID observable-id |<>--{0..*}--[ Description ] 3286 | |<>--{0..1}--[ Application ] 3287 | |<>--{0..*}--[ RecordPattern ] 3288 | |<>--{0..*}--[ RecordItem ] 3289 | |<>--{0..*}--[ FileData ] 3290 | |<>--{0..*}--[ CertificateData ] 3291 | |<>--{0..*}--[ WindowsRegistryKeysModified ] 3292 | |<>--{0..*}--[ AdditionalData ]+-------------------+ 3294 Figure 44: The RecordData Class 3296 The aggregate classes that constitutes RecordData is: 3298 DateTime 3299 Zero or one. Timestamp of the RecordItem data. 3301 Description 3302 Zero or more. ML_STRING. Free-form textual description of the 3303 provided RecordItem data. At minimum, this description should 3304 convey the significance of the provided RecordItem data. 3306 Application 3307 Zero or one. Information about the sensor used to generate the 3308 RecordItem data. 3310 RecordPattern 3311 Zero or more. A search string to precisely find the relevant data 3312 in a RecordItem. 3314 RecordItem 3315 Zero or more. Log, audit, or forensic data. 3317 FileData 3318 Zero or one. The file name and hash of a file indicator. 3320 WindowsRegistryKeysModified 3321 Zero or more. The registry keys that were modified that are 3322 indicator(s). 3324 AdditionalData 3325 Zero or more. An extension mechanism for data not explicitly 3326 represented in the data model. 3328 The RecordData class has two attribute: 3330 restriction 3331 Optional. ENUM. See Section 3.3.1. 3333 observable-id 3334 Optional. ID. See Section 3.3.2. 3336 3.25.2. RecordPattern Class 3338 The RecordPattern class describes where in the content of the 3339 RecordItem relevant information can be found. It provides a way to 3340 reference subsets of information, identified by a pattern, in a large 3341 log file, audit trail, or forensic data. 3343 +-----------------------+ 3344 | RecordPattern | 3345 +-----------------------+ 3346 | STRING | 3347 | | 3348 | ENUM type | 3349 | INTEGER offset | 3350 | ENUM offsetunit | 3351 | INTEGER instance | 3352 +-----------------------+ 3354 Figure 45: The RecordPattern Class 3356 The specific pattern to search with in the RecordItem is defined in 3357 the body of the element. It is further annotated by four attributes: 3359 type 3360 Required. ENUM. Describes the type of pattern being specified in 3361 the element content. The default is "regex". These values are 3362 maintained in the "RecordPattern-type" IANA registry per Table 1. 3364 1. regex. regular expression as defined by POSIX Extended 3365 Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. 3367 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3368 type. 3370 3. xpath. XML Path (XPath) [W3C.XPATH] 3372 offset 3373 Optional. INTEGER. Amount of units (determined by the offsetunit 3374 attribute) to seek into the RecordItem data before matching the 3375 pattern. 3377 offsetunit 3378 Optional. ENUM. Describes the units of the offset attribute. 3379 The default is "line". These values are maintained in the 3380 "RecordPattern-offsetunit" IANA registry per Table 1. 3382 1. line. Offset is a count of lines. 3384 2. byte. Offset is a count of bytes. 3386 instance 3387 Optional. INTEGER. Number of types to apply the specified 3388 pattern. 3390 3.25.3. RecordItem Class 3392 The RecordItem class provides a way to incorporate relevant logs, 3393 audit trails, or forensic data to support the conclusions made during 3394 the course of analyzing the incident. The class supports both the 3395 direct encapsulation of the data, as well as, provides primitives to 3396 reference data stored elsewhere. 3398 This class is identical to AdditionalData class (Section 3.9). 3400 3.26. WindowsRegistryKeysModified Class 3402 The WindowsRegistryKeysModified class describes Windows operating 3403 system registry keys and the operations that were performed on them. 3404 This class was derived from [RFC5901]. 3406 +-----------------------------+ 3407 | WindowsRegistryKeysModified | 3408 +-----------------------------+ 3409 | ID observable-id |<>--{1..*}--[ Key ] 3410 +-----------------------------+ 3412 Figure 46: The WindowsRegistryKeysModified Class 3414 The aggregate class that constitutes the WindowsRegistryKeysModified 3415 class is: 3417 Key 3418 One or many. The Window registry key. 3420 The WindowsRegistryKeysModified class has one attribute: 3422 observable-id 3423 Optional. ID. See Section 3.3.2. 3425 3.26.1. Key Class 3427 The Key class describes a particular Windows operating system 3428 registry key name and value pair, and the operation performed on it. 3430 +---------------------------+ 3431 | Key | 3432 +---------------------------+ 3433 | ENUM registryaction |<>----------[ KeyName ] 3434 | ID observable-id |<>--{0..1}--[ KeyValue ] 3435 +---------------------------+ 3437 Figure 47: The Key Class 3439 The aggregate classes that constitutes Key are: 3441 KeyName 3442 One. STRING. The name of the Windows operating system registry 3443 key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3445 KeyValue 3446 Zero or one. STRING. The value of the associated registry key 3447 encoded as in Microsoft .reg files [KB310516]. 3449 The Key class has two attributes: 3451 registryaction 3452 Optional. ENUM. The type of action taken on the registry key. 3453 These values are maintained in the "Key-registryaction" IANA 3454 registry per Table 1. 3456 1. add-key. Registry key added. 3458 2. add-value. Value added to registry key. 3460 3. delete-key. Registry key deleted. 3462 4. delete-value. Value deleted from registry key. 3464 5. modify-key. Registry key modified. 3466 6. modify-value. Value modified for registry key. 3468 observable-id 3469 Optional. ID. See Section 3.3.2. 3471 3.27. CertificateData Class 3473 The CertificateData class describes X.509 certificates. 3475 +----------------------+ 3476 | CertificateData | 3477 +----------------------+ 3478 | ID observable-id |<>--{1..*}--[ Certificate ] 3479 | ENUM restriction | 3480 +----------------------+ 3482 Figure 48: The CertificateData Class 3484 The aggregate classes that constitutes CertificateData are: 3486 Certificate 3487 One or more. A certificate. 3489 The CertificateData class has two attribute: 3491 observable-id 3492 Optional. ID. See Section 3.3.2. 3494 restriction 3495 Optional. ENUM. See Section 3.3.1. 3497 3.27.1. Certificate Class 3499 The Certificate class describes a given X.509 certificate or 3500 certificate chain. 3502 +--------------------------+ 3503 | Certificate | 3504 +--------------------------+ 3505 | ENUM valid |<>----------[ ds: X509Data ] 3506 | ID observable-id | 3507 +--------------------------+ 3509 Figure 49: The Certificate Class 3511 The aggregate classes that constitutes Certificate are: 3513 ds:X509Data 3514 One. A given X.509 certificate or chain. See Section 4.4.4 of 3515 [W3C.XMLSIG]. 3517 The Certificate class has one attribute: 3519 valid 3520 Optional. Indicates whether a given certificate has a valid 3521 signature. An invalid signature may be due to an invalid 3522 certificate chain, a signature not decoding properly, or a 3523 certificate contents not matching the hash. 3525 1. yes. The certificate is valid. 3527 2. no. The certificate is not valid. 3529 observable-id 3530 Optional. ID. See Section 3.3.2. 3532 3.28. FileData Class 3534 The FileData class describes files of interest identified during the 3535 analysis of an incident. 3537 +----------------------+ 3538 | FileData | 3539 +----------------------+ 3540 | ID observable-id |<>--{1..*}--[ File ] 3541 | ENUM restriction | 3542 +----------------------+ 3544 Figure 50: The FileData Class 3546 The aggregate class that constitutes FileData is: 3548 File 3549 One or more. A description of a file. 3551 The FileData class has two attribute: 3553 observable-id 3554 Optional. ID. See Section 3.3.2. 3556 restriction 3557 Optional. ENUM. See Section 3.3.1. 3559 3.28.1. File Class 3561 The File class describes a file and its associated meta data. 3563 +--------------------------+ 3564 | File | 3565 +--------------------------+ 3566 | ID observable-id |<>--{0..1}--[ FileName ] 3567 | |<>--{0..1}--[ FileSize ] 3568 | |<>--{0..*}--[ URL ] 3569 | |<>--{0..1}--[ HashData ] 3570 | |<>--{0..1}--[ SignatureData ] 3571 | |<>--{0..*}--[ FileProperties ] 3572 +--------------------------+ 3574 Figure 51: The File Class 3576 The aggregate classes that constitutes File are: 3578 FileName 3579 Zero or One. ML_STRING. The name of the file. 3581 FileSize 3582 Zero or One. INTEGER. The size of the file in bytes. 3584 URL 3585 Zero or more. A reference to the file. 3587 HashData 3588 Zero or One. Hash(es) associated with this file. 3590 SignatureData 3591 Zero or One. Signature(s) associated with this file. 3593 FileProperties 3594 Zero or more. Mechanism by which to extend the data model to 3595 describe properties of the file. See Section 3.9. 3597 The File class has one attribute: 3599 observable-id 3600 Optional. ID. See Section 3.3.2. 3602 3.29. HashData Class 3604 The HashData class describes different types of hashes on an given 3605 object (e.g., file, part of a file, email). 3607 +--------------------------+ 3608 | HashData | 3609 +--------------------------+ 3610 | ENUM scope |<>--{0..1}--[ HashTarget ] 3611 | |<>--{0..*}--[ Hash ] 3612 | |<>--{0..*}--[ FuzzyHash ] 3613 +--------------------------+ 3615 Figure 52: The HashData Class 3617 The aggregate classes that constitutes HashData are: 3619 HashTarget 3620 Zero or One. An identifier that references a a subset of the 3621 object per the @scope attribute. 3623 Hash 3624 Zero or more. The hash generated on the object. 3626 FuzzyHash 3627 Zero or more. The fuzzy hash of the object. 3629 A single instance of Hash or FuzzyHash MUST be present. 3631 The HashData class has one attribute: 3633 scope 3634 Required. ENUM. Describes the scope of the hash on a type of 3635 object. These values are maintained in the "HashData-scope" IANA 3636 registry per Table 1. 3638 1. file-contents. A hash computed over the entire contents of a 3639 file. 3641 2. file-pe-section. A hash computed on a given section of a 3642 Windows Portable Executable (PE) file. If set to this value, 3643 the HashTargetId class MUST identify the section being hashed. 3644 This section is identified by an ordinal number (starting at 3645 1) corresponding to the the order in which the given section 3646 header was defined in the Section Table of the PE file header. 3648 3. file-pe-iat. A hash computed on the Import Address 3649 Table (IAT) of a PE file. As IAT hashes are often tool 3650 dependent, if this value is set, the HashTargetId class MUST 3651 specify the tool used to generate the hash. 3653 4. file-pe-resource. A hash computed on a given resource in a PE 3654 file. If set to this value, the HashTargetId class MUST 3655 identify the resource being hashed. This resource is 3656 identified by an ordinal number (starting at 1) corresponding 3657 to the oder in which the given resource is declared in the 3658 Resource Directory of the Data Dictionary in the PE file 3659 header. 3661 5. file-pdf-object. A hash computed on a given object in a 3662 Portable Document Format (PDF) file. If set to this value, 3663 the HashTargetId class MUST identify the object being hashed. 3664 This object is identified by its offset in the PDF file. 3666 6. email-hash. A hash computed over the headers and body of an 3667 email message. 3669 7. email-headers-hash. A hash computed over all of the headers 3670 of an email message. 3672 8. email-body-hash. A hash computed over the body of an email 3673 message. 3675 3.29.1. Hash Class 3677 The Hash class describes a specific hash value, algorithm, and an 3678 application used to generate it. 3680 +-----------------------+ 3681 | Hash | 3682 +-----------------------+ 3683 | |<>----------[ ds:DigestMethod ] 3684 | |<>----------[ ds:DigestValue ] 3685 | |<>--{0..1}--[ Application ] 3686 +-----------------------+ 3688 Figure 53: The Hash Class 3690 The aggregate classes that constitutes Hash are: 3692 ds:DigestMethod 3693 One. The hash algorithm used to generate the hash. See 3694 Section 4.3.3.5 of [W3C.XMLSIG] 3696 ds:DigestValue 3697 One. The computer hash value. See Section 4.3.3.6 of 3698 [W3C.XMLSIG]. 3700 Application 3701 Zero or One. The application used to calculate the hash. 3703 The HashData class has no attribute: 3705 3.29.2. FuzzyHash Class 3707 The FuzzyHash class describes a fuzzy hash (in an extensible way) and 3708 the application used to generate it. 3710 +--------------------------+ 3711 | FuzzyHash | 3712 +--------------------------+ 3713 | |<>--{0..*}--[ AdditionalData ] 3714 | |<>--{0..1}--[ Application ] 3715 +--------------------------+ 3717 Figure 54: The FuzzyHash Class 3719 The aggregate classes that constitutes FuzzyHash are: 3721 AdditionalData 3722 Zero or more. Mechanism by which to extend the data model. See 3723 Section 3.9. 3725 Application 3726 Zero or One. The application used to calculate the hash. 3728 The FuzzyData class has no attribute: 3730 3.30. SignatureData Class 3732 The SignatureData class describes different signatures on an given 3733 object. 3735 +--------------------------+ 3736 | SignatureData | 3737 +--------------------------+ 3738 | |<>--{1..*}--[ ds:Signature ] 3739 +--------------------------+ 3741 Figure 55: The SignatureData Class 3743 The aggregate classes that constitutes SignatureData are: 3745 Signature 3746 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] 3748 The SignatureData class has no attribute: 3750 3.31. IndicatorData Class 3752 The IndicatorData class describes the indicators identified from 3753 analysis of an incident. 3755 +--------------------------+ 3756 | IndicatorData | 3757 +--------------------------+ 3758 | |<>--{1..*}--[ Indicator ] 3759 +--------------------------+ 3761 Figure 56: The IndicatorData Class 3763 The aggregate class that constitutes IndicatorData is: 3765 Indicator 3766 One or more. An indicator from the incident. 3768 The IndicatorData class has no attributes. 3770 3.32. Indicator Class 3772 The Indicator class describes a cyber indicator. An indicator 3773 consists of observable features and phenomenon that aid in the 3774 forensic or proactive detection of malicious activity, and associated 3775 meta-data. This indicator can be described outright or reference 3776 observable features and phenomenon described elsewhere in the 3777 incident information. Portions of an incident description can be 3778 composed to define an indicator, as can the indicators themselves. 3780 +--------------------+ 3781 | Indicator | 3782 +--------------------+ 3783 | ENUM restriction |<>----------[ IndicatorID ] 3784 | |<>--{0..1}--[ AlternativeIndicatorID ] 3785 | |<>--{0..*}--[ Description ] 3786 | |<>--{0..1}--[ StartTime ] 3787 | |<>--{0..1}--[ EndTime ] 3788 | |<>--{0..1}--[ Confidence ] 3789 | |<>--{0..*}--[ Contact ] 3790 | |<>--{0..1}--[ Observable ] 3791 | |<>--{0..1}--[ ObservableReference ] 3792 | |<>--{0..1}--[ IndicatorExpression ] 3793 | |<>--{0..1}--[ IndicatorReference ] 3794 | |<>--{0..*}--[ AdditionalData ] 3795 +--------------------+ 3797 Figure 57: The Indicator Class 3799 The aggregate classes that constitute Indicator are: 3801 IndicatorID 3802 One. An identifier for this indicator. See Section 3.32.1 3804 AlternativeIndicatorID 3805 Zero or one. An alternative identifier for this indicator. See 3806 Section 3.32.2 3808 Description 3809 Zero or more. ML_STRING. A free-form textual description of the 3810 indicator. 3812 StartTime 3813 Zero or one. DATETIME. A timestamp of the start of the time 3814 period during which this indicator is valid. 3816 EndTime 3817 Zero or one. DATETIME. A timestamp of the end of the time period 3818 during which this indicator is valid. 3820 Confidence 3821 Zero or one. An estimate of the confidence in the quality of the 3822 indicator. See Section 3.14.5. 3824 Contact 3825 Zero or more. Contact information for this indicator. See 3826 Section 3.10. 3828 Observable 3829 Zero or one. An observable feature or phenomenon of this 3830 indicator. See Section 3.32.3. 3832 ObservableReference 3833 Zero or one. A reference to a feature or phenomenon defined 3834 elsewhere in the document. See Section 3.32.5. 3836 IndicatorExpression 3837 Zero or one. A composition of observables. See Section 3.32.4. 3839 IndicatorReference 3840 Zero or one. A reference to an indicator. 3842 AdditionalData 3843 Zero or more. Mechanism by which to extend the data model. See 3844 Section 3.9 3846 The Indicator class MUST have exactly one instance of an Observable, 3847 IndicatorExpression, ObservableReference, or IndicatorReference 3848 class. 3850 The StartTime and EndTime classes can be used to define an interval 3851 during which the indicator is valid. If both classes are present, 3852 the indicator is consider valid only during the described interval. 3853 If neither class is provided, the indicator is considered valid 3854 during any time interval. If only a StartTime is provided, the 3855 indicator is valid anytime after this timestamp. If only an EndTime 3856 is provided, the indicator is valid anytime prior to this timestamp. 3858 The Indicator class has one attribute: 3860 restriction 3861 Optional. ENUM. See Section 3.3.1. 3863 3.32.1. IndicatorID Class 3865 The IndicatorID class identifies an indicator with a globally unique 3866 identifier. The combination of the name and version attributes, and 3867 the element content form this identifier. Indicators generated by 3868 given CSIRT MUST NOT reuse the same value unless they are referencing 3869 the same indicator. 3871 +------------------+ 3872 | IndicatorID | 3873 +------------------+ 3874 | ID | 3875 | | 3876 | STRING name | 3877 | STRING version | 3878 +------------------+ 3880 Figure 58: The IndicatorID Class 3882 The IndicatorID class has two attributes: 3884 name 3885 Required. STRING. An identifier describing the CSIRT that 3886 created the indicator. In order to have a globally unique CSIRT 3887 name, the fully qualified domain name associated with the CSIRT 3888 MUST be used. This format is identical to the IncidentID@name 3889 attribute in Section 3.4. 3891 version 3892 Required. STRING. A version number of an indicator. 3894 3.32.2. AlternativeIndicatorID Class 3896 The AlternativeIndicatorID class lists alternative identifiers for an 3897 indicator. 3899 +-------------------------+ 3900 | AlternativeIndicatorID | 3901 +-------------------------+ 3902 | ENUM restriction |<>--{1..*}--[ IndicatorReference ] 3903 | | 3904 +-------------------------+ 3906 Figure 59: The AlternativeIndicatorID Class 3908 The aggregate class that constitutes AlternativeIndicatorID is: 3910 IndicatorReference 3911 One or more. A reference to an indicator. 3913 The AlternativeIndicatorID class has one attribute: 3915 restriction 3916 Optional. ENUM. This attribute has been defined in Section 3.2. 3918 3.32.3. Observable Class 3920 The Observable class describes a feature and phenomenon that can be 3921 observed or measured for the purposes of detecting malicious 3922 behavior. 3924 +-------------------+ 3925 | Observable | 3926 +-------------------+ 3927 | |<>--{0..1}--[ Address ] 3928 | |<>--{0..1}--[ DomainData ] 3929 | |<>--{0..1}--[ Service ] 3930 | |<>--{0..1}--[ EmailData ] 3931 | |<>--{0..1}--[ ApplicationHeader ] 3932 | |<>--{0..1}--[ WindowsRegistryKeysModified ] 3933 | |<>--{0..1}--[ FileData ] 3934 | |<>--{0..1}--[ CertificateData ] 3935 | |<>--{0..1}--[ RecordData ] 3936 | |<>--{0..1}--[ EventData ] 3937 | |<>--{0..1}--[ Incident ] 3938 | |<>--{0..*}--[ Expectation ] 3939 | |<>--{0..*}--[ enum:Reference ] 3940 | |<>--{0..1}--[ Assessment ] 3941 | |<>--{0..1}--[ HistoryItem ] 3942 | |<>--{0..*}--[ AdditionalData ] 3943 +-------------------+ 3945 Figure 60: The Observable Class 3947 The aggregate classes that constitute Observable are: 3949 Address 3950 Zero or One. An Address observable. See Section 3.20.1. 3952 DomainData 3953 Zero or One. A DomainData observable. See Section 3.21. 3955 Service 3956 Zero or One. A Service observable. See Section 3.22. 3958 EmailData 3959 Zero or One. A EmailData observable. See Section 3.24. 3961 ApplicationHeader 3962 Zero or One. An ApplicationHeader observable. See 3963 Section 3.22.1. 3965 WindowsRegistryKeysModified 3966 Zero or One. A WindowsRegistryKeysModified observable. See 3967 Section 3.26. 3969 FileData 3970 Zero or One. A FileData observable. See Section 3.28. 3972 CertificateData 3973 Zero or One. A CertificateData observable. See Section 3.27. 3975 RecordData 3976 Zero or One. A RecordData observable. See Section 3.25.1. 3978 EventData 3979 Zero or One. An EventData observable. See Section 3.16. 3981 Incident 3982 Zero or One. An Incident observable. See Section 3.2. 3984 EventData 3985 Zero or One. An EventData observable. See Section 3.16. 3987 Expectation 3988 Zero or One. An Expectation observable. See Section 3.17. 3990 enum:Reference 3991 Zero or One. A Reference observable. See [RFC-ENUM]. 3993 Assessment 3994 Zero or One. An Assessment observable. See Section 3.14. 3996 HistoryItem 3997 Zero or One. A HistoryItem observable. See Section 3.15.1. 3999 AdditionalData 4000 Zero or more. Mechanism by which to extend the data model. See 4001 Section 3.9. 4003 The Observable class MUST have exactly one of the possible child 4004 classes. 4006 The Observable class has no attributes. 4008 3.32.4. IndicatorExpression Class 4010 The IndicatorExpression describes an expression composed of observed 4011 phenomenon or features, or indicators. Elements of the expression 4012 can be described directly, reference relevant data from other parts 4013 of a given IODEF document, or reference previously defined 4014 indicators. 4016 All child classes of a given instance of IndicatorExpression form a 4017 boolean algebraic expression where the operator between them is 4018 determined by the operator attribute. Nesting an IndicatorExpression 4019 in itself is akin to a parenthesis in the expression. 4021 +--------------------------+ 4022 | IndicatorExpression | 4023 +--------------------------+ 4024 | ENUM operator |<>--{0..*}--[ IndicatorExpression ] 4025 | |<>--{0..*}--[ Observable ] 4026 | |<>--{0..*}--[ ObservableReference ] 4027 | |<>--{0..*}--[ IndicatorReference ] 4028 | |<>--{0..*}--[ AdditionalData ] 4029 +--------------------------+ 4031 Figure 61: The IndicatorExpression Class 4033 The aggregate classes that constitute IndicatorExpression are: 4035 IndicatorExpression 4036 Zero or more. An expression composed of other observables or 4037 indicators. 4039 Observable 4040 Zero or more. A description of an observable. 4042 ObservableReference 4043 Zero or more. A reference to another observable. 4045 IndicatorReference 4046 Zero or more. A reference to another indicator. 4048 AdditionalData 4049 Zero or more. Mechanism by which to extend the data model. See 4050 Section 3.9 4052 ... TODO Additional text is required to describe the valid 4053 combinations of classes and how the operator class should be applied 4054 ... 4056 The IndicatorExpression class has one attributes: 4058 operator 4059 Optional. ENUM. The operator to be applied between the child 4060 elements. 4062 1. not. negation operator. 4064 2. and. conjunction operator. 4066 3. or. disjunction operator. 4068 4. xor. exclusive disjunction operator. 4070 3.32.5. ObservableReference Class 4072 The ObservableReference describes a reference to an observable 4073 feature or phenomenon described elsewhere in the document. 4075 This class has no content. 4077 +-------------------------+ 4078 | ObservableReference | 4079 +-------------------------+ 4080 | EMPTY | 4081 | | 4082 | IDREF uid-ref | 4083 +-------------------------+ 4085 Figure 62: The ObservableReference Class 4087 The ObservableReference class has one attributes: 4089 uid-ref 4090 Required. IDREF. An identifier that serves as a reference to a 4091 class in the IODEF document. The referenced class will have this 4092 identifier set in the observable-id attribute. 4094 3.32.6. IndicatorReference Class 4096 The IndicatorReference describes a reference to an indicator. This 4097 reference may be to an indicator described in the IODEF document or 4098 in a previously exchanged IODEF document. 4100 +--------------------------+ 4101 | IndicatorReference | 4102 +--------------------------+ 4103 | EMPTY | 4104 | | 4105 | IDREF uid-ref | 4106 | STRING euid-ref | 4107 | STRING version | 4108 +--------------------------+ 4110 Figure 63: The IndicatorReference Class 4112 The IndicatorReference class has one attributes: 4114 uid-ref 4115 Optional. IDREF. An identifier that serves as a reference to an 4116 Indicator class in the IODEF document. The referenced Indicator 4117 class will have this identifier set in the IndicatorID class. 4119 euid-ref 4120 Optional. STRING. An identifier that references an IndicatorID 4121 not in this IODEF document. 4123 version 4124 Optional. STRING. A version number of an indicator. 4126 Either the uid-ref or the euid-ref attribute MUST be set. 4128 4. Processing Considerations 4130 This section defines additional requirements on creating and parsing 4131 IODEF documents. 4133 4.1. Encoding 4135 Every IODEF document MUST begin with an XML declaration, and MUST 4136 specify the XML version used. If UTF-8 encoding is not used, the 4137 character encoding MUST also be explicitly specified. The IODEF 4138 conforms to all XML data encoding conventions and constraints. 4140 The XML declaration with no character encoding will read as follows: 4142 4144 When a character encoding is specified, the XML declaration will read 4145 like the following: 4147 4149 Where "charset" is the name of the character encoding as registered 4150 with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. 4152 The following characters have special meaning in XML and MUST be 4153 escaped with their entity reference equivalent: "&", "<", ">", "\"" 4154 (double quotation mark), and "'" (apostrophe). These entity 4155 references are "&", "<", ">", """, and "'" 4156 respectively. 4158 4.2. IODEF Namespace 4160 The IODEF schema declares a namespace of 4161 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 4162 Each IODEF document MUST include a valid reference to the IODEF 4163 schema using the "xsi:schemaLocation" attribute. An example of such 4164 a declaration would look as follows: 4166 4344 attributeFormDefault="unqualified" 4345 elementFormDefault="qualified"> 4346 4350 4351 4353 The following XML excerpt demonstrates the use of the above schema as 4354 an extension to the IODEF. 4356 4363 4364 ... 4365 4366 4367 Field that could not be represented elsewhere 4368 4369 4370 4422 4424 4428 4429 189493 4430 2001-09-13T23:19:24+00:00 4431 Host sending out Code Red probes 4432 4433 4434 4435 4436 4437 Example.com CSIRT 4438 example-com 4439 contact@csirt.example.com 4440 4441 4442 4443 4444 4445
192.0.2.200
4446 57 4447 4448 4449 4450 4451
192.0.2.16/28
4452 4453 4454 80 4455 4456 4457 4458 4459 4460 4461 4462 2001-09-13T18:11:21+02:00 4463 Web-server logs 4464 4465 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? 4466 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4467 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4468 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4469 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4470 4471 4472 4473 http://mylogs.example.com/logs/httpd_access 4474 4475 4476 4477 4478 4480 4481 2001-09-14T08:19:01+00:00 4482 Notification sent to 4483 constituency-contact@192.0.2.200 4484 4485 4486 4487 4489 7.2. Reconnaissance 4491 An example of a CSIRT reporting a scanning activity. 4493 4494 4496 4500 4501 59334 4502 2006-08-02T05:54:02-05:00 4503 4504 4505 4506 4507 4508 4509 nmap 4510 http://nmap.toolsite.example.com 4511 4512 4513 4515 4516 CSIRT for example.com 4517 contact@csirt.example.com 4518 +1 412 555 12345 4519 4521 4522 Joe Smith 4523 smith@csirt.example.com 4524 4525 4526 4527 4533 4534 4535 4536
192.0.2.200
4537 4538 4539 60524,60526,60527,60531 4540 4541 4542 4543 4544
192.0.2.201
4546 4547 4548 137-139,445 4549 4550 4551 4552 4554 4555 4556 4557
192.0.2.240
4558 4559 4560 4561 4562
192.0.2.64/28
4563 4564 4565 445 4566 4567 4568 4569 4570 4571 4573 7.3. Bot-Net Reporting 4575 An example of a CSIRT reporting a bot-network. 4577 4578 4580 4584 4585 908711 4586 2006-06-08T05:44:53-05:00 4587 Large bot-net 4588 4589 4590 4591 4592 4593 4594 GT Bot 4595 4596 4598 4599 CA-2003-22 4600 http://www.cert.org/advisories/CA-2003-22.html 4601 Root compromise via this IE vulnerability to 4602 install the GT Bot 4603 4604 4605 4607 4608 Joe Smith 4609 jsmith@csirt.example.com 4610 4611 4612 These hosts are compromised and acting as bots 4613 communicating with irc.example.com. 4614 4615 4617 4618 4619
192.0.2.1
4620 4621 10000 4622 bot 4623 4624 4625 4626 4627
192.0.2.3
4628 4629 250000 4630 bot 4631 4632 4633 4634 4635 irc.example.com 4636
192.0.2.20
4637 2006-06-08T01:01:03-05:00 4638 4639 4640 IRC server on #give-me-cmd channel 4641 4642 4643 4644 4645 4646 4647 Confirm the source and take machines off-line and 4648 remediate 4649 4650 4651 4652 4653 4655 7.4. Watch List 4657 An example of a CSIRT conveying a watch-list. 4659 4660 4661 4664 4668 4669 908711 4670 2006-08-01T00:00:00-05:00 4671 4672 Watch-list of known bad IPs or networks 4673 4674 4675 4676 4677 4678 4679 CSIRT for example.com 4680 contact@csirt.example.com 4681 4682 4684 4685 4686 4687 4688
192.0.2.53
4689 4690 Source of numerous attacks 4691 4692 4693 4695 4696 4697 4698 4699 4700 4701
192.0.2.16/28
4702 4703 4704 Source of heavy scanning over past 1-month 4705 4706 4707 4708 4709 4710 4711
192.0.2.241
4712 4713 C2 IRC server 4714 4715 4716 4718 4719 4720 4721 4723 8. The IODEF Schema 4725 4734 4737 4739 4740 4741 Incident Object Description Exchange Format v2.0, RFC5070-bis 4742 4743 4745 4750 4751 4752 4753 4755 4757 4758 4760 4762 4764 4765 4766 4771 4772 4773 4774 4775 4777 4779 4781 4783 4785 4787 4788 4790 4792 4794 4796 4798 4800 4802 4804 4806 4807 4808 4809 4810 4811 4812 4813 4814 4815 4816 4817 4818 4820 4822 4824 4825 4826 4832 4833 4834 4835 4836 4838 4840 4843 4844 4845 4847 4852 4853 4854 4855 4857 4858 4860 4861 4862 4867 4868 4869 4870 4871 4873 4875 4877 4880 4881 4883 4885 4887 4888 4890 4891 4893 4898 4899 4900 4901 4902 4903 4904 4906 4907 4909 4910 4912 4913 4915 4916 4917 4919 4924 4925 4926 4927 4928 4929 4930 4932 4933 4935 4936 4938 4939 4941 4942 4943 4945 4950 4951 4956 4957 4958 4959 4961 4963 4965 4967 4969 4971 4973 4975 4977 4979 4981 4982 4983 4984 4985 4986 4987 4988 4989 4990 4991 4992 4993 4994 4995 4996 4997 4998 4999 5000 5001 5002 5003 5004 5005 5006 5007 5008 5009 5010 5011 5012 5013 5014 5016 5017 5018 5020 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040 5041 5042 5044 5045 5046 5047 5048 5050 5051 5052 5053 5054 5055 5056 5058 5059 5060 5061 5063 5064 5065 5067 5072 5074 5076 5078 5080 5082 5084 5086 5088 5089 5090 5091 5092 5093 5098 5099 5100 5101 5103 5104 5107 5108 5109 5110 5111 5112 5113 5115 5117 5119 5122 5124 5125 5127 5129 5131 5132 5133 5138 5139 5140 5141 5143 5146 5148 5150 5152 5153 5156 5158 5160 5162 5163 5165 5170 5171 5172 5173 5175 5177 5179 5180 5182 5183 5184 5185 5186 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 5206 5208 5209 5211 5212 5213 5214 5215 5217 5220 5221 5223 5224 5226 5231 5232 5233 5234 5235 5236 5237 5238 5240 5241 5243 5244 5246 5251 5252 5253 5254 5257 5258 5259 5262 5263 5268 5271 5272 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5285 5287 5288 5289 5290 5291 5292 5293 5295 5296 5297 5298 5299 5300 5301 5302 5303 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316 5317 5318 5319 5320 5321 5322 5323 5324 5325 5326 5327 5328 5329 5330 5331 5332 5333 5334 5335 5336 5337 5338 5339 5340 5342 5343 5344 5345 5346 5347 5348 5349 5350 5351 5352 5354 5355 5356 5357 5358 5359 5360 5361 5362 5363 5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5375 5376 5377 5378 5379 5381 5383 5384 5385 5386 5387 5388 5389 5390 5391 5393 5394 5395 5396 5397 5398 5399 5400 5401 5403 5405 5406 5407 5409 5411 5412 5413 5414 5415 5416 5417 5418 5419 5420 5421 5422 5423 5424 5425 5426 5431 5432 5433 5434 5436 5438 5440 5442 5444 5446 5448 5450 5452 5454 5456 5458 5460 5462 5464 5465 5468 5470 5471 5472 5477 5481 5482 5483 5484 5486 5487 5488 5489 5494 5495 5496 5497 5498 5500 5502 5504 5506 5508 5510 5512 5513 5515 5516 5517 5518 5519 5520 5521 5522 5523 5524 5525 5526 5528 5530 5532 5533 5534 5535 5536 5537 5538 5539 5540 5541 5542 5543 5544 5545 5546 5551 5552 5553 5554 5555 5557 5559 5560 5562 5564 5566 5568 5569 5570 5571 5572 5573 5574 5575 5576 5577 5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5590 5591 5592 5594 5596 5598 5599 5600 5602 5604 5606 5607 5608 5609 5610 5611 5612 5613 5614 5615 5616 5617 5618 5619 5620 5621 5622 5623 5624 5625 5626 5627 5628 5629 5630 5631 5632 5633 5634 5635 5636 5637 5638 5639 5640 5641 5642 5643 5644 5645 5646 5647 5648 5649 5650 5651 5652 5653 5654 5655 5656 5657 5658 5659 5660 5661 5662 5663 5664 5665 5666 5667 5668 5669 5670 5671 5672 5674 5679 5680 5681 5682 5683 5685 5687 5688 5690 5692 5694 5697 5698 5700 5701 5703 5705 5706 5707 5708 5709 5710 5711 5712 5717 5718 5719 5720 5721 5722 5723 5724 5725 5726 5727 5728 5729 5730 5731 5732 5733 5734 5735 5736 5737 5739 5741 5742 5743 5744 5746 5751 5752 5753 5754 5756 5758 5760 5763 5765 5767 5768 5770 5771 5773 5778 5779 5780 5781 5783 5786 5789 5792 5795 5797 5799 5801 5802 5803 5804 5805 5806 5807 5808 5809 5810 5811 5812 5813 5814 5815 5816 5817 5818 5819 5820 5821 5822 5823 5824 5825 5826 5827 5828 5830 5831 5833 5835 5836 5837 5838 5839 5840 5841 5842 5843 5844 5845 5846 5847 5848 5849 5850 5851 5852 5853 5854 5855 5856 5857 5858 5859 5860 5861 5862 5863 5864 5865 5866 5867 5868 5869 5870 5871 5872 5873 5874 5875 5876 5877 5878 5879 5880 5881 5882 5883 5885 5886 5887 5888 5889 5891 5892 5893 5895 5896 5897 5898 5900 5902 5903 5904 5906 5911 5912 5913 5914 5916 5917 5919 5920 5921 5922 5923 5924 5926 5928 5930 5932 5934 5936 5939 5941 5943 5944 5946 5948 5949 5951 5952 5953 5954 5955 5956 5957 5958 5959 5960 5961 5962 5963 5964 5966 5968 5969 5970 5971 5972 5973 5974 5975 5977 5978 5979 5980 5981 5983 5989 5990 5991 5992 5993 5994 5995 5996 5998 5999 6000 6001 6002 6003 6004 6005 6006 6007 6008 6009 6010 6011 6012 6013 6014 6016 6017 6019 6025 6026 6027 6028 6030 6031 6033 6035 6037 6039 6040 6041 6042 6044 6046 6048 6050 6052 6054 6055 6057 6058 6060 6063 6069 6070 6071 6072 6074 6076 6078 6079 6080 6081 6082 6083 6084 6085 6086 6087 6088 6089 6090 6091 6092 6093 6094 6096 6097 6098 6099 6100 6101 6103 6104 6105 6107 6108 6109 6110 6111 6113 6114 6115 6117 6123 6124 6125 6126 6128 6129 6130 6132 6138 6139 6140 6141 6143 6144 6146 6148 6149 6151 6152 6153 6154 6155 6156 6158 6160 6161 6163 6168 6169 6170 6172 6173 6175 6177 6179 6182 6184 6186 6188 6189 6191 6194 6199 6200 6201 6202 6204 6205 6206 6208 6209 6210 6211 6212 6214 6216 6218 6220 6222 6224 6225 6226 6227 6228 6229 6231 6232 6234 6235 6237 6238 6239 6240 6241 6243 6245 6246 6247 6248 6250 6251 6252 6253 6255 6256 6258 6259 6261 6262 6263 6264 6266 6268 6270 6273 6275 6277 6280 6282 6284 6286 6288 6290 6292 6294 6295 6297 6298 6300 6301 6302 6303 6304 6306 6308 6310 6312 6313 6315 6316 6317 6318 6319 6320 6321 6322 6323 6324 6325 6326 6327 6328 6329 6330 6332 6333 6335 6336 6337 6339 6341 6343 6344 6345 6350 6352 6354 6359 6360 6361 6362 6363 6365 6366 6367 6368 6370 6371 6372 6374 6375 6376 6378 6379 6381 6383 6385 6387 6389 6390 6391 6393 6394 6396 6398 6401 6403 6405 6410 6411 6412 6413 6414 6415 6417 6418 6419 6420 6421 6422 6423 6424 6425 6426 6427 6428 6429 6430 6431 6432 6433 6434 6435 6436 6438 6439 6440 6441 6442 6443 6444 6445 6446 6447 6448 6449 6450 6451 6452 6453 6454 6455 6457 6458 6459 6460 6461 6462 6463 6464 6465 6466 6467 6468 6469 6470 6471 6472 6473 6474 6475 6476 6477 6478 6479 6480 6481 6482 6484 6485 6486 6487 6488 6489 6490 6491 6492 6493 6494 6495 6496 6497 6498 6499 6500 6501 6502 6503 6504 6505 6506 6507 6509 6510 6511 6512 6513 6514 6515 6516 6517 6518 6519 6521 6522 6523 6525 9. Security Considerations 6527 The IODEF data model itself does not directly introduce security 6528 issues. Rather, it simply defines a representation for incident 6529 information. As the data encoded by the IODEF might be considered 6530 privacy sensitive by the parties exchanging the information or by 6531 those described by it, care needs to be taken in ensuring the 6532 appropriate disclosure during both document exchange and subsequent 6533 processing. The former must be handled by a messaging format, but 6534 the latter risk must be addressed by the systems that process, store, 6535 and archive IODEF documents and information derived from them. 6537 Executable content could be embedded into the IODEF document directly 6538 or through an extension. The IODEF parser should handle this content 6539 with care to prevent unintentional automated execution. 6541 The contents of an IODEF document may include a request for action or 6542 an IODEF parser may independently have logic to take certain actions 6543 based on information that it finds. For this reason, care must be 6544 taken by the parser to properly authenticate the recipient of the 6545 document and ascribe an appropriate confidence to the data prior to 6546 action. 6548 The underlying messaging format and protocol used to exchange 6549 instances of the IODEF MUST provide appropriate guarantees of 6550 confidentiality, integrity, and authenticity. The use of a 6551 standardized security protocol is encouraged. The Real-time Inter- 6552 network Defense (RID) protocol [RFC6545] and its associated transport 6553 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 6555 In order to suggest data processing and handling guidelines of the 6556 encoded information, the IODEF allows a document sender to convey a 6557 privacy policy using the restriction attribute. The various 6558 instances of this attribute allow different data elements of the 6559 document to be covered by dissimilar policies. While flexible, it 6560 must be stressed that this approach only serves as a guideline from 6561 the sender, as the recipient is free to ignore it. The issue of 6562 enforcement is not a technical problem. 6564 10. IANA Considerations 6566 This document registers a namespace, XML schema, and a number of 6567 registries that map to enumerated values defined in the schema. 6569 10.1. Namespace and Schema 6571 This document uses URNs to describe an XML namespace and schema 6572 conforming to a registry mechanism described in [RFC3688] 6574 Registration for the IODEF namespace: 6576 o URI: urn:ietf:params:xml:ns:iodef-2.0 6578 o Registrant Contact: See the first author of the "Author's Address" 6579 section of this document. 6581 o XML: None. Namespace URIs do not represent an XML specification. 6583 Registration for the IODEF XML schema: 6585 o URI: urn:ietf:params:xml:schema:iodef-2.0 6587 o Registrant Contact: See the first author of the "Author's Address" 6588 section of this document. 6590 o XML: See the "IODEF Schema" in Section 8 of this document. 6592 10.2. Enumerated Value Registries 6594 This document creates xx identically structured registries to be 6595 managed by IANA: 6597 o Name of the parent registry: "Incident Object Description Exchange 6598 Format v2 (IODEF)" 6600 o URL of the registry: http://www.iana.org/assignments/iodef2 6602 o Namespace format: A registry entry consists of: 6604 * Value. An enumerated value for a given IODEF attribute. 6606 * Description. A short description of the enumerated value. 6608 * Reference. An optional list of URIs to further describe the 6609 value. 6611 o Allocation policy: Expert Review per [RFC5226] 6613 The registries to be created are named in the table below in the 6614 "Registry Name" column. The initial values for the Value and 6615 Description fields of a given registry are listed in the "IV (Value)" 6616 and "IV (Description)" columns respectively. The "IV (Value)" points 6617 to a given schema attribute or type per Section 8. Each enumerated 6618 value in the schema gets a corresponding entry in a given registry. 6619 The "IV (Description)" points to a section in the text of this 6620 document. The initial value of the Reference field of every registry 6621 entry described below should be this document. 6623 +--------------------------+------------------------+---------------+ 6624 | Registry Name | IV (Value) | IV | 6625 | | | (Description) | 6626 +--------------------------+------------------------+---------------+ 6627 | Restriction | iodef-restriction-type | Section 3.3.1 | 6628 | | | | 6629 | Incident-purpose | Incident@purpose | Section 3.2 | 6630 | | | | 6631 | Contact-role | Contact@role | Section 3.10 | 6632 | | | | 6633 | Contact-type | Contact@type | Section 3.10 | 6634 | | | | 6635 | RegistryHandle-registry | RegistryHandle@registr | Section | 6636 | | y | 3.10.1 | 6637 | | | | 6638 | Expectation-action | iodef:action-type | Section 3.17 | 6639 | | | | 6640 | Discovery-source | Discovery@source | Section 3.12 | 6641 | | | | 6642 | SystemImpact-type | SystemImpact@type | Section | 6643 | | | 3.14.1 | 6644 | | | | 6645 | BusinessImpact-severity | BusinessImpact@severit | Section | 6646 | | y | 3.14.2 | 6647 | | | | 6648 | BusinessImpact-type | BusinessImpact@type | Section | 6649 | | | 3.14.2 | 6650 | | | | 6651 | TimeImpact-metrics | TimeImpact@metric | Section | 6652 | | | 3.14.3 | 6653 | | | | 6654 | TimeImpact-duration | iodef:duration-type | Section | 6655 | | | 3.14.3 | 6656 | | | | 6657 | NodeRole-category | NodeRole@category | Section | 6658 | | | 3.20.2 | 6659 | | | | 6660 | System-category | System@category | Section 3.19 | 6661 | | | | 6662 | System-ownership | System@ownership | Section 3.19 | 6663 | | | | 6664 | Address-category | Address@category | Section | 6665 | | | 3.20.1 | 6666 | | | | 6667 | Counter-type | Counter@type | Section | 6668 | | | 3.20.3 | 6669 | | | | 6670 | DomainData-system-status | DomainData@system- | Section 3.21 | 6671 | | status | | 6672 | | | | 6673 | DomainData-domain-status | DomainData@domain- | Section 3.21 | 6674 | | status | | 6675 | | | | 6676 | RelatedDNS-record-type | RelatedDNS@record-type | Section | 6677 | | | 3.21.1 | 6678 | | | | 6679 | RecordPattern-type | RecordPattern@type | Section | 6680 | | | 3.25.2 | 6681 | | | | 6682 | RecordPattern-offsetunit | RecordPattern@offsetun | Section | 6683 | | it | 3.25.2 | 6684 | | | | 6685 | Key-registryaction | Key@registryaction | Section | 6686 | | | 3.26.1 | 6687 | | | | 6688 | HashData-scope | HashData@scope | Section 3.29 | 6689 | | | | 6690 | AdditionalData-dtype | iodef:dtype-type | Section 3.9 | 6691 | | | | 6692 | EmailHeaderField-proto- | iodef:proto-dtype-type | Section | 6693 | dtype | | 3.22.1 | 6694 +--------------------------+------------------------+---------------+ 6696 Table 1: IANA Enumerated Value Registries 6698 11. Acknowledgments 6700 The following groups and individuals, listed alphabetically, 6701 contributed substantially to this document and should be recognized 6702 for their efforts. 6704 o Kathleen Moriarty, EMC Corporation 6706 o Brian Trammell, ETH Zurich 6708 o Patrick Cain, Cooper-Cain Group, Inc. 6710 o ... TODO many more to add ... 6712 12. References 6714 12.1. Normative References 6716 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 6717 (XML) 1.0 (Second Edition)", W3C Recommendation , October 6718 2000, . 6720 [W3C.SCHEMA] 6721 World Wide Web Consortium, "XML XML Schema Part 1: 6722 Structures Second Edition", W3C Recommendation , October 6723 2004, . 6725 [W3C.SCHEMA.DTYPES] 6726 World Wide Web Consortium, "XML Schema Part 2: Datatypes 6727 Second Edition", W3C Recommendation , October 2004, 6728 . 6730 [W3C.XMLNS] 6731 World Wide Web Consortium, "Namespaces in XML", W3C 6732 Recommendation , January 1999, 6733 . 6735 [W3C.XPATH] 6736 World Wide Web Consortium, "XML Path Language (XPath) 6737 2.0", W3C Candidate Recommendation , June 2006, 6738 . 6740 [W3C.XMLSIG] 6741 World Wide Web Consortium, "XML Signature Syntax and 6742 Processing 2.0", W3C Candidate Recommendation , June 2008, 6743 . 6745 [IEEE.POSIX] 6746 Institute of Electrical and Electronics Engineers, 6747 "Information Technology - Portable Operating System 6748 Interface (POSIX) - Part 1: Base Definitions", IEEE 6749 1003.1, June 2001. 6751 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 6752 Requirement Levels", RFC 2119, March 1997. 6754 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of 6755 Languages", RFC 5646, September 2009. 6757 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 6758 Resource Identifiers (URI): Generic Syntax", RFC 3986, 6759 January 2005`. 6761 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 6762 Procedures", BCP 2978, October 2000. 6764 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 6765 June 2006. 6767 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 6768 2008. 6770 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 6771 Timestamps", RFC 3339, July 2002. 6773 [RFC-ENUM] 6774 Montville, A. and D. Black, "IODEF Enumeration Reference 6775 Format", RFC ENUM, November 2014. 6777 [ISO8601] International Organization for Standardization, 6778 "International Standard: Data elements and interchange 6779 formats - Information interchange - Representation of 6780 dates and times", ISO 8601, Second Edition, December 2000. 6782 [ISO4217] International Organization for Standardization, 6783 "International Standard: Codes for the representation of 6784 currencies and funds, ISO 4217:2001", ISO 4217:2001, 6785 August 2001. 6787 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 6788 2004. 6790 [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup 6791 Language) XML-Signature Syntax and Processing", RFC 3275, 6792 March 2002. 6794 [IANA.Ports] 6795 Internet Assigned Numbers Authority, "Service Name and 6796 Transport Protocol Port Number Registry", January 2014, 6797 . 6800 [IANA.Protocols] 6801 Internet Assigned Numbers Authority, "Assigned Internet 6802 Protocol Numbers", January 2014, 6803 . 6806 12.2. Informative References 6808 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident 6809 Object Description Exchange Format", RFC 5070, December 6810 2007. 6812 [refs.requirements] 6813 Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements 6814 for the Format for Incident Information Exchange (FINE)", 6815 Work in Progress, June 2006. 6817 [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, 6818 "Intrusion Detection Message Exchange Format", RFC 4765, 6819 March 2007. 6821 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6822 6545, April 2012. 6824 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 6825 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 6826 2012. 6828 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 6829 Class for Reporting Phishing", RFC 5901, July 2010. 6831 [NIST800.61rev2] 6832 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 6833 "NIST Special Publication 800-61 Revision 2: Computer 6834 Security Incident Handling Guide", January 2012, 6835 . 6838 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 6839 Type for the Internet Registry Information Service 6840 (IRIS)", RFC 3982, January 2005. 6842 [KB310516] 6843 Microsoft Corporation, "How to add, modify, or delete 6844 registry subkeys and values by using a registration 6845 entries (.reg) file", December 2007. 6847 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 6848 Separated Values (CSV) File", RFC 4180, October 2005. 6850 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 6851 IANA Considerations Section in RFCs", RFC 5226, May 2008. 6853 Authors' Addresses 6855 Roman Danyliw 6856 CERT - Software Engineering Institute 6857 Pittsburgh, PA 6858 USA 6860 EMail: rdd@cert.org 6862 Paul Stoecker 6863 RSA 6864 Reston, VA 6865 USA 6867 EMail: paul.stoecker@rsa.com