idnits 2.17.1 draft-ietf-mile-rfc5070-bis-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 18, 2015) is 3234 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 5899, but not defined == Missing Reference: '0-4' is mentioned on line 5899, but not defined == Missing Reference: '0-5' is mentioned on line 5899, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'RFC-ENUM' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO8601' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' ** Downref: Normative reference to an Informational RFC: RFC 2781 -- Obsolete informational reference (is this intentional?): RFC 5070 (Obsoleted by RFC 7970) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) P. Stoecker 5 Intended status: Standards Track RSA 6 Expires: December 20, 2015 June 18, 2015 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-12 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation for sharing information commonly exchanged by 15 Computer Security Incident Response Teams (CSIRTs) about computer 16 security incidents. This document describes the information model 17 for the IODEF and provides an associated data model specified with 18 XML Schema. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on December 20, 2015. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 67 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 69 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 70 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8 71 1.5. About the IODEF Implementation . . . . . . . . . . . . . 9 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 10 77 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 10 78 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 11 79 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11 80 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 11 81 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 82 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 12 83 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12 84 2.12. Person or Organization . . . . . . . . . . . . . . . . . 12 85 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12 86 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 12 87 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 12 88 2.16. Identifiers and Identifier References . . . . . . . . . . 13 89 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 13 90 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 13 91 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 14 92 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 18 93 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 18 94 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 19 95 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 19 96 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 20 97 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 21 98 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 22 99 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 23 100 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 24 101 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 26 102 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 30 103 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 31 104 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 31 105 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 32 106 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 32 107 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 33 108 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 33 109 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 33 110 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 33 111 3.11.5. GenerationTime Class . . . . . . . . . . . . . . . . 33 112 3.11.6. DateTime . . . . . . . . . . . . . . . . . . . . . . 33 113 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 33 114 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 35 115 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 36 116 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 37 117 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 38 118 3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 39 119 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 42 120 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 45 121 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 47 122 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 47 123 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 48 124 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 49 125 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 51 126 3.16.1. Relating the Incident and EventData Classes . . . . 53 127 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 53 128 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 54 129 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 57 130 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58 131 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61 132 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62 133 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63 134 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66 135 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68 136 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 71 137 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71 138 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 72 139 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 73 140 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 75 141 3.22.2. Application Class . . . . . . . . . . . . . . . . . 76 142 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 78 143 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78 144 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 79 145 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 79 146 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 81 147 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 82 148 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 83 149 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 83 150 3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 84 151 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 85 152 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 86 153 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 86 154 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 88 155 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 89 156 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 90 157 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 91 158 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 91 159 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 92 160 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 94 161 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 94 162 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 95 163 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 100 164 3.32.5. ObservableReference Class . . . . . . . . . . . . . 102 165 3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 102 166 4. Processing Considerations . . . . . . . . . . . . . . . . . . 103 167 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 103 168 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 103 169 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 104 170 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 105 171 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 106 172 5.1. Extending the Enumerated Values of Attributes . . . . . . 106 173 5.1.1. Private Extension of Enumerated Values . . . . . . . 106 174 5.1.2. Public Extension of Enumerated Values . . . . . . . . 107 175 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 107 176 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 109 177 6. Internationalization Issues . . . . . . . . . . . . . . . . . 109 178 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 111 179 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 111 180 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 112 181 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 114 182 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 116 183 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 117 184 9. Security Considerations . . . . . . . . . . . . . . . . . . . 160 185 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 160 186 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 161 187 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 161 188 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 163 189 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 164 190 12.1. Normative References . . . . . . . . . . . . . . . . . . 164 191 12.2. Informative References . . . . . . . . . . . . . . . . . 166 192 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 167 194 1. Introduction 196 Organizations require help from other parties to mitigate malicious 197 activity targeting their network and to gain insight into potential 198 threats. This coordination might entail working with an ISP to 199 filter attack traffic, contacting a remote site to take down a bot- 200 network, or sharing watch-lists of known malicious IP addresses in a 201 consortium. 203 The Incident Object Description Exchange Format (IODEF) is a format 204 for representing computer security information commonly exchanged 205 between Computer Security Incident Response Teams (CSIRTs). It 206 provides an XML representation for conveying: 208 o cyber intelligence to characterize threats; 210 o cyber incident reports to document particular cyber security 211 events or relationships between events; 213 o cyber event mitigation to request proactive and reactive 214 mitigation approaches to cyber intelligence or incidents; and 216 o cyber information sharing meta-data so that these various classes 217 of information can be exchanged among parties. 219 The data model encodes information about hosts, networks, and the 220 services running on these systems; attack methodology and associated 221 forensic evidence; impact of the activity; and limited approaches for 222 documenting workflow. 224 The overriding purpose of the IODEF is to enhance the operational 225 capabilities of CSIRTs. Community adoption of the IODEF provides an 226 improved ability to resolve incidents and convey situational 227 awareness by simplifying collaboration and data sharing. This 228 structured format provided by the IODEF allows for: 230 o increased automation in processing of incident data, since the 231 resources of security analysts to parse free-form textual 232 documents will be reduced; 234 o decreased effort in normalizing similar data (even when highly 235 structured) from different sources; and 237 o a common format on which to build interoperable tools for incident 238 handling and subsequent analysis, specifically when data comes 239 from multiple constituencies. 241 Coordinating with other CSIRTs is not strictly a technical problem. 242 There are numerous procedural, trust, and legal considerations that 243 might prevent an organization from sharing information. The IODEF 244 does not attempt to address them. However, operational 245 implementations of the IODEF will need to consider this broader 246 context. 248 Sections 3 and 8 specify the IODEF data model with text and an XML 249 schema. The types used by the data model are covered in Section 2. 250 Processing considerations, the handling of extensions, and 251 internationalization issues related to the data model are covered in 252 Sections 4, 5, and 6, respectively. Examples are listed in 253 Section 7. Section 1 provides the background for the IODEF, and 254 Section 9 documents the security considerations. 256 1.1. Changes from 5070 258 This document contains changes with respect to its predecessor 259 RFC5070. 261 o All of the RFC5070 Errata was implemented. 263 o Imported the xmlns:ds namespace to include digital signature hash 264 classes. 266 o The following classes were added to IODEF-Document: 267 AdditionalData. 269 o The following class and attribute was added to Incident: 270 IndicatorData and @status. 272 o The following classes were added to Incident and EventData: 273 Discovery. 275 o The following classes and attributes were added to the Service 276 class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, 277 and @ownership. Service@ip_protocol was renamed to @ip-protocol. 279 o The following classes were added to the Record class: HashData and 280 WindowsRegistryKeysModified. 282 o The following classes were added to the RelatedActivity class: 283 ThreatActor, Campaign, Confidence, Description, and 284 AdditionalData. 286 o The following classes were added to Assessment: IncidentCategory, 287 SystemImpact, BusinessImpact, IntendedImpact and MitigatingFactor. 289 o The following classes were added to Node: PostalAddress and 290 DomainData. The following classes were removed from Node: Removed 291 NodeName and DateTime. 293 o The following classes were added to the Contact class: 294 ContactTitle. 296 o The following classes were added to Expectation and HistoryItem: 297 DefinedCOA. 299 o The following classes were aded to Service: ServiceName 301 o The following classes were added to Reference: ReferenceName 302 (replaced Name). 304 o The following attributes were added to Counter: type and unit. 306 o Additional enumerated values were added to the following 307 attributes: @restriction, {Expectation, HistoryItem}@action, 308 NodeRole@category, Incident@purpose, Contact@role, 309 AdditionalData@dtype, System@spoofed. 311 o Added option for public extension of enumerated attributes with an 312 IANA registry and added @ext-restriction. 314 o Removed Impact class in favor of using SystemImpact and 315 IncidentCategory. 317 o iodef:MLStringType uses xml:lang and @translation-id. 319 1.2. Terminology 321 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 322 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 323 document are to be interpreted as described in [RFC2119]. 325 Definitions for some of the common computer security-related 326 terminology used in this document can be found in Section 2 of 327 [refs.requirements]. 329 1.3. Notations 331 The normative IODEF data model is specified with the text in 332 Section 3 and the XML schema in Section 8. To help in the 333 understanding of the data elements, Section 3 also depicts the 334 underlying information model using Unified Modeling Language (UML). 335 This abstract presentation of the IODEF is not normative. 337 For clarity in this document, the term "XML document" will be used 338 when referring generically to any instance of an XML document. The 339 term "IODEF document" will be used to refer to specific elements and 340 attributes of the IODEF schema. The terms "class" and "element" will 341 be used interchangeably to reference either the corresponding data 342 element in the information or data models, respectively. 344 1.4. About the IODEF Data Model 346 The IODEF data model is a data representation that provides a 347 framework for sharing information commonly exchanged by CSIRTs about 348 computer security incidents. A number of considerations were made in 349 the design of the data model. 351 o The data model serves as a transport format. Therefore, its 352 specific representation is not the optimal representation for on- 353 disk storage, long-term archiving, or in-memory processing. 355 o As there is no precise widely agreed upon definition for an 356 incident, the data model does not attempt to dictate one through 357 its implementation. Rather, a broad understanding is assumed in 358 the IODEF that is flexible enough to encompass most operators. 360 o Describing an incident for all definitions would require an 361 extremely complex data model. Therefore, the IODEF only intends 362 to be a framework to convey commonly exchanged incident 363 information. It ensures that there are ample mechanisms for 364 extensibility to support organization-specific information, and 365 techniques to reference information kept outside of the explicit 366 data model. 368 o The domain of security analysis is not fully standardized and must 369 rely on free-form textual descriptions. The IODEF attempts to 370 strike a balance between supporting this free-form content, while 371 still allowing automated processing of incident information. 373 o The IODEF is only one of several security relevant data 374 representations being standardized. Attempts were made to ensure 375 they were complementary. The data model of the Intrusion 376 Detection Message Exchange Format [RFC4765] influenced the design 377 of the IODEF. 379 Further discussion of the desirable properties for the IODEF can be 380 found in the Requirements for the Format for Incident Information 381 Exchange (FINE) [refs.requirements]. 383 1.5. About the IODEF Implementation 385 The IODEF implementation is specified as an Extensible Markup 386 Language (XML) [W3C.XML] Schema [W3C.SCHEMA]. 388 Implementing the IODEF in XML provides numerous advantages. Its 389 extensibility makes it ideal for specifying a data encoding framework 390 that supports various character encodings. Likewise, the abundance 391 of related technologies (e.g., XSL, XPath, XML-Signature) makes for 392 simplified manipulation. However, XML is fundamentally a text 393 representation, which makes it inherently inefficient when binary 394 data must be embedded or large volumes of data must be exchanged. 396 2. IODEF Data Types 398 The various data elements of the IODEF data model are typed. This 399 section discusses these data types. When possible, native Schema 400 data types were adopted, but for more complicated formats, regular 401 expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external 402 standards were used. 404 2.1. Integers 406 An integer is represented by the INTEGER data type. Integer data 407 MUST be encoded in Base 10. 409 The INTEGER data type is implemented as an "xs:integer" in 410 [W3C.SCHEMA.DTYPES]. 412 2.2. Real Numbers 414 Real (floating-point) attributes are represented by the REAL data 415 type. Real data MUST be encoded in Base 10. 417 The REAL data type is implemented as an "xs:float" in 418 [W3C.SCHEMA.DTYPES]. 420 2.3. Characters and Strings 422 A single character is represented by the CHARACTER data type. A 423 character string is represented by the STRING data type. Special 424 characters must be encoded using entity references. See Section 4.1. 426 The CHARACTER and STRING data types are implement as an "xs:string" 427 in [W3C.SCHEMA.DTYPES]. 429 2.4. Multilingual Strings 431 A character string that needs to be represented in a language 432 different than the default encoding of the document is of the 433 ML_STRING data type. 435 ML_STRING data type is implemented as the "iodef:MLStringType" type 436 in the schema. This type extends the "xs:string" to include two 437 attributes. The body of any class that uses this type is the 438 multilingual string. 440 +------------------------+ 441 | iodef:MLStringType | 442 +------------------------+ 443 | ENUM xml:lang | 444 | STRING translation-id | 445 | | 446 +------------------------+ 448 Figure 1: The iodef:MLStringType Type 450 Classes of the iodef:MLStringType type have two attributes: 452 xml:lang 453 Optional. ENUM. A language identifier per Section 2.12 of 454 [W3C.XML] whose values and form are described in [RFC5646]. The 455 interpretation of this code is described in Section 6. 457 translation-id 458 Optional. STRING. An identifier to relate other instances of 459 this class with the same parent as translations of this text. The 460 scope of this identifier is limited to all of the direct, peer 461 child classes of a given parent class. 463 Using this class enables representing translation of the same text in 464 multiple language. Each translation is a distinct instance of this 465 class with a common parent. This relationship between multiple 466 classes being translated instances of the same text is indicated by a 467 common identifier set in the translation-id attribute. The language 468 of a given class of this type is set by the xml:lang attribute. 470 2.5. Bytes 472 A binary octet is represented by the BYTE data type. A sequence of 473 binary octets is represented by the BYTE[] data type. These octets 474 are encoded using base64. 476 The BYTE data type is implemented as an "xs:base64Binary" in 477 [W3C.SCHEMA.DTYPES]. 479 2.6. Hexadecimal Bytes 481 A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. 482 This octet is encoded as a character tuple consisting of two 483 hexadecimal digits. 485 The HEXBIN data type is implemented as an "xs:hexBinary" in 486 [W3C.SCHEMA.DTYPES]. 488 2.7. Enumerated Types 490 Enumerated types are represented by the ENUM data type, and consist 491 of an ordered list of acceptable values. Each value has a 492 representative keyword. Within the IODEF schema, the enumerated type 493 keywords are used as attribute values. 495 The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 496 schema. 498 2.8. Date-Time Strings 500 Date-time strings are represented by the DATETIME data type. Each 501 date-time string identifies a particular instant in time. Ranges are 502 not supported. 504 Date-time strings are formatted according to a subset of [ISO8601] 505 documented in [RFC3339]. 507 The DATETIME data type is implemented as an "xs:dateTime" in the 508 schema. 510 2.9. Timezone String 512 A timezone offset from UTC is represented by the TIMEZONE data type. 513 It is formatted according to the following regular expression: 514 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 516 The TIMEZONE data type is implemented as an "xs:string" with a 517 regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular 518 expression is identical to the timezone representation implemented in 519 an "xs:dateTime". 521 2.10. Port Lists 523 A list of network ports are represented by the PORTLIST data type. A 524 PORTLIST consists of a comma-separated list of numbers and ranges 525 (N-M means ports N through M, inclusive). It is formatted according 526 to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". 527 For example, "2,5-15,30,32,40-50,55-60". 529 The PORTLIST data type is implemented as an "xs:string" with a 530 regular expression constraint in the schema. 532 2.11. Postal Address 534 A postal address is represented by the POSTAL data type. This data 535 type is an ML_STRING whose format is documented in Section 2.23 of 536 [RFC4519]. It defines a postal address as a free-form multi-line 537 string separated by the "$" character. 539 The POSTAL data type is implemented as an "xs:string" in the schema. 541 2.12. Person or Organization 543 The name of an individual or organization is represented by the NAME 544 data type. This data type is an ML_STRING whose format is documented 545 in Section 2.3 of [RFC4519]. 547 The NAME data type is implemented as an "xs:string" in the schema. 549 2.13. Telephone and Fax Numbers 551 A telephone or fax number is represented by the PHONE data type. The 552 format of the PHONE data type is documented in Section 2.35 of 553 [RFC4519]. 555 The PHONE data type is implemented as an "xs:string" in the schema. 557 2.14. Email String 559 An email address is represented by the EMAIL data type. The format 560 of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. 562 The EMAIL data type is implemented as an "xs:string" in the schema. 564 2.15. Uniform Resource Locator strings 566 A uniform resource locator (URL) is represented by the URL data type. 567 The format of the URL data type is documented in [RFC3986]. 569 The URL data type is implemented as an "xs:anyURI" in the schema. 571 2.16. Identifiers and Identifier References 573 An identifier unique to the Document is represented by the ID data 574 type. A reference to this identifier is represented by the IDREF 575 data type. The acceptable format of ID and IDREF is documented in 576 Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES]. 578 The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF" 579 in the schema. 581 3. The IODEF Data Model 583 In this section, the individual components of the IODEF data model 584 will be discussed in detail. For each class, the semantics will be 585 described and the relationship with other classes will be depicted 586 with UML. When necessary, specific comments will be made about 587 corresponding definition in the schema in Section 8 589 3.1. IODEF-Document Class 591 The IODEF-Document class is the top level class in the IODEF data 592 model. All IODEF documents are an instance of this class. 594 +--------------------------+ 595 | IODEF-Document | 596 +--------------------------+ 597 | STRING version |<>--{1..*}--[ Incident ] 598 | ENUM xml:lang |<>--{0..*}--[ AdditionalData ] 599 | STRING format-id | 600 | STRING private-enum-name | 601 | STRING private-enum-id | 602 +--------------------------+ 604 Figure 2: IODEF-Document Class 606 The aggregate class that constitute IODEF-Document is: 608 Incident 609 One or more. The information related to a single incident. 611 AdditionalData 612 Zero or more. Mechanism by which to extend the data model. See 613 Section 3.9 615 The IODEF-Document class has three attributes: 617 version 618 Required. STRING. The IODEF specification version number to 619 which this IODEF document conforms. The value of this attribute 620 MUST be "2.00" 622 xml:lang 623 Optional. ENUM. A language identifier per Section 2.12 of 624 [W3C.XML] whose values and form are described in [RFC5646]. The 625 interpretation of this code is described in Section 6. 627 format-id 628 Optional. STRING. A free-form string to convey processing 629 instructions to the recipient of the document. Its semantics must 630 be negotiated out-of-band. 632 private-enum-name 633 Optional. STRING. A globally unique identifier for the CSIRT 634 generating the document to deconflict private extensions used in 635 the Document. The fully qualified domain name associated with the 636 CSIRT MUST be used as the identifier. 638 private-enum-id 639 Optional. STRING. An organizationally unique identifier for an 640 extension used in the Document. If this attribute is set, the 641 private-enum-name MUST also be set. 643 3.2. Incident Class 645 Every incident is represented by an instance of the Incident class. 646 This class provides a standardized representation for commonly 647 exchanged incident data. 649 +-------------------------+ 650 | Incident | 651 +-------------------------+ 652 | ENUM purpose |<>----------[ IncidentID ] 653 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 654 | ENUM status |<>--{0..*}--[ RelatedActivity ] 655 | STRING ext-status |<>--{0..1}--[ DetectTime ] 656 | ENUM xml:lang |<>--{0..1}--[ StartTime ] 657 | ENUM restriction |<>--{0..1}--[ EndTime ] 658 | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ] 659 | STRING observable-id |<>----------[ ReportTime ] 660 | |<>--{0..1}--[ GenerationTime ] 661 | |<>--{0..*}--[ Description ] 662 | |<>--{0..*} [ Discovery ] 663 | |<>--{1..*}--[ Assessment ] 664 | |<>--{0..*}--[ Method ] 665 | |<>--{1..*}--[ Contact ] 666 | |<>--{0..*}--[ EventData ] 667 | |<>--{0..*}--[ IndicatorData ] 668 | |<>--{0..1}--[ History ] 669 | |<>--{0..*}--[ AdditionalData ] 670 +-------------------------+ 672 Figure 3: The Incident Class 674 The aggregate classes that constitute Incident are: 676 IncidentID 677 One. An incident tracking number assigned to this incident by the 678 CSIRT that generated the IODEF document. 680 AlternativeID 681 Zero or one. The incident tracking numbers used by other CSIRTs 682 to refer to the incident described in the document. 684 RelatedActivity 685 Zero or more. Related activity and attribution of this activity. 687 DetectTime 688 Zero or one. The time the incident was first detected. 690 StartTime 691 Zero or one. The time the incident started. 693 EndTime 694 Zero or one. The time the incident ended. 696 RecoveryTime 697 Zero or one. The time the site recovered from the incident. 699 ReportTime 700 One. The time the incident was reported. 702 GenerationTime 703 Zero or one. The time the content in this Incident class was 704 generated. 706 Description 707 Zero or more. ML_STRING. A free-form textual description of the 708 incident. 710 Discovery 711 Zero or more. The means by which this incident was detected. 713 Assessment 714 One or more. A characterization of the impact of the incident. 716 Method 717 Zero or more. The techniques used by the intruder in the 718 incident. 720 Contact 721 One or more. Contact information for the parties involved in the 722 incident. 724 EventData 725 Zero or more. Description of the events comprising the incident. 727 IndicatorData 728 Zero or more. Description of indicators. 730 History 731 Zero or one. A log of significant events or actions that occurred 732 during the course of handling the incident. 734 AdditionalData 735 Zero or more. Mechanism by which to extend the data model. 737 The Incident class has eight attributes: 739 purpose 740 Required. ENUM. The purpose attribute represents the reason why 741 the IODEF document was created. It is closely related to the 742 Expectation class (Section 3.17). These values are maintained in 743 the "Incident-purpose" IANA registry per Table 1. This attribute 744 is defined as an enumerated list: 746 1. traceback. The document was sent for trace-back purposes. 748 2. mitigation. The document was sent to request aid in 749 mitigating the described activity. 751 3. reporting. The document was sent to comply with reporting 752 requirements. 754 4. watch. The document was sent to convey indicators to watch 755 for particular activity. 757 5. other. The document was sent for purposes specified in the 758 Expectation class. 760 6. ext-value. An escape value used to extend this attribute. 761 See Section 5.1.1. 763 ext-purpose 764 Optional. STRING. A means by which to extend the purpose 765 attribute. See Section 5.1.1. 767 status 768 Optional. ENUM. The status attribute conveys the state in a 769 workflow where the incident is currently found. These values are 770 maintained in the "Incident-status" IANA registry per Table 1. 771 This attribute is defined as an enumerated list: 773 1. new. The document is newly reported and has not been 774 actioned. 776 2. in-progress. The contents of this document are under 777 investigation. 779 3. forwarded. The document has been forwarded to another party 780 for handling. 782 4. resolved. The investigation into the activity in this 783 document has concluded. 785 5. future. The . 787 6. ext-value. An escape value used to extend this attribute. 788 See Section 5.1.1. 790 ext-status 791 Optional. STRING. A means by which to extend the status 792 attribute. See Section 5.1.1. 794 xml:lang 795 Optional. ENUM. A language identifier per Section 2.12 of 796 [W3C.XML] whose values and form are described in [RFC5646]. The 797 interpretation of this code is described in Section 6. 799 restriction 800 Optional. ENUM. See Section 3.3.1. 802 ext-restriction 803 Optional. STRING. A means by which to extend the restriction 804 attribute. See Section 5.1.1. 806 observable-id 807 Optional. ID. See Section 3.3.2. 809 3.3. Common Attributes 811 There are a number of recurring attributes used by the data model. 812 They are documented in this section. 814 3.3.1. restriction Attribute 816 The restriction attribute indicates the disclosure guidelines to 817 which the sender expects the recipient to adhere for the information 818 represented in this class and its children. This guideline provides 819 no security since there are no specified technical means to ensure 820 that the recipient of the document handles the information as the 821 sender requested. 823 The value of this attribute is logically inherited by the children of 824 this class. That is to say, the disclosure rules applied to this 825 class, also apply to its children. 827 It is possible to set a granular disclosure policy, since all of the 828 high-level classes (i.e., children of the Incident class) have a 829 restriction attribute. Therefore, a child can override the 830 guidelines of a parent class, be it to restrict or relax the 831 disclosure rules (e.g., a child has a weaker policy than an ancestor; 832 or an ancestor has a weak policy, and the children selectively apply 833 more rigid controls). The implicit value of the restriction 834 attribute for a class that did not specify one can be found in the 835 closest ancestor that did specify a value. 837 This attribute is defined as an enumerated value with a default value 838 of "private". Note that the default value of the restriction 839 attribute is only defined in the context of the Incident class. In 840 other classes where this attribute is used, no default is specified. 842 These values are maintained in the "Restriction" IANA registry per 843 Table 1. 845 1. public. The information can be freely distributed without 846 restriction. 848 2. partner. The information may be shared within a closed 849 community of peers, partners, or affected parties, but cannot be 850 openly published. 852 3. need-to-know. The information may be shared only within the 853 organization with individuals that have a need to know. 855 4. private. The information may not be shared. 857 5. default. The information can be shared according to an 858 information disclosure policy pre-arranged by the communicating 859 parties. 861 6. white. Same as 'public'. 863 7. green. Same as 'partner'. 865 8. amber. Same as 'need-to-know'. 867 9. red. Same as 'private'. 869 10. ext-value. An escape value used to extend this attribute. See 870 Section 5.1.1. 872 3.3.2. observable-id Attribute 874 Information included in an incident report may be an observable 875 relevant to an indicator. The observable-id attribute provides a 876 unique identifier in the scope of the document for this observable. 877 This identifier can then used to reference the observable with an 878 ObservableReference class to define an indicator in the IndicatorData 879 class. 881 3.4. IncidentID Class 883 The IncidentID class represents an incident tracking number that is 884 unique in the context of the CSIRT and identifies the activity 885 characterized in an IODEF Document. This identifier would serve as 886 an index into the CSIRT incident handling system. The combination of 887 the name attribute and the string in the element content MUST be a 888 globally unique identifier describing the activity. Documents 889 generated by a given CSIRT MUST NOT reuse the same value unless they 890 are referencing the same incident. 892 +------------------------+ 893 | IncidentID | 894 +------------------------+ 895 | STRING | 896 | | 897 | STRING name | 898 | STRING instance | 899 | ENUM restriction | 900 | STRING ext-restriction | 901 +------------------------+ 903 Figure 4: The IncidentID Class 905 The IncidentID class has four attributes: 907 name 908 Required. STRING. An identifier describing the CSIRT that 909 created the document. In order to have a globally unique CSIRT 910 name, the fully qualified domain name associated with the CSIRT 911 MUST be used. 913 instance 914 Optional. STRING. An identifier referencing a subset of the 915 named incident. 917 restriction 918 Optional. ENUM. See Section 3.3.1. The default value is 919 "public". 921 ext-restriction 922 Optional. STRING. A means by which to extend the restriction 923 attribute. See Section 5.1.1. 925 3.5. AlternativeID Class 927 The AlternativeID class lists the incident tracking numbers used by 928 CSIRTs, other than the one generating the document, to refer to the 929 identical activity described in the IODEF document. A tracking 930 number listed as an AlternativeID references the same incident 931 detected by another CSIRT. The incident tracking numbers of the 932 CSIRT that generated the IODEF document must never be considered an 933 AlternativeID. 935 +------------------------+ 936 | AlternativeID | 937 +------------------------+ 938 | ENUM restriction |<>--{1..*}--[ IncidentID ] 939 | STRING ext-restriction | 940 +------------------------+ 942 Figure 5: The AlternativeID Class 944 The aggregate class that constitutes AlternativeID is: 946 IncidentID 947 One or more. The incident tracking number of another CSIRT. 949 The AlternativeID class has two attributes: 951 restriction 952 Optional. ENUM. See Section 3.3.1. 954 ext-restriction 955 Optional. STRING. A means by which to extend the restriction 956 attribute. See Section 5.1.1. 958 3.6. RelatedActivity Class 960 The RelatedActivity class relates the information described in the 961 rest of the IODEF document to previously observed incidents or 962 activity; and allows attribution to a specific actor or campaign. 964 +------------------------+ 965 | RelatedActivity | 966 +------------------------+ 967 | ENUM restriction |<>--{0..*}--[ IncidentID ] 968 | STRING ext-restriction |<>--{0..*}--[ URL ] 969 | |<>--{0..*}--[ ThreatActor ] 970 | |<>--{0..*}--[ Campaign ] 971 | |<>--{0..1}--[ Confidence ] 972 | |<>--{0..*}--[ Description ] 973 | |<>--{0..*}--[ AdditionalData ] 974 +------------------------+ 976 Figure 6: RelatedActivity Class 978 The aggregate classes that constitutes RelatedActivity are: 980 IncidentID 981 One or more. The incident tracking number of a related incident. 983 URL 984 One or more. URL. A URL to activity related to this incident. 986 ThreatActor 987 One or more. The threat actor to whom the described activity is 988 attributed. 990 Campaign 991 One or more. The campaign of a given threat actor to whom the 992 described activity is attributed. 994 Confidence 995 Zero or one. An estimate of the confidence in attributing this 996 RelatedActivity to the event described in the document. 998 Description 999 Zero or more. ML_STRING. A description of how these 1000 relationships were derived. 1002 AdditionalData 1003 Zero or more. A mechanism by which to extend the data model. 1005 RelatedActivity MUST at least have one instance of IncidentID, URL, 1006 ThreatActor, or Campaign. 1008 The RelatedActivity class has two attributes: 1010 restriction 1011 Optional. ENUM. See Section 3.3.1. 1013 ext-restriction 1014 Optional. STRING. A means by which to extend the restriction 1015 attribute. See Section 5.1.1. 1017 3.7. ThreatActor Class 1019 The ThreatActor class describes a given actor. 1021 +------------------------+ 1022 | Actor | 1023 +------------------------+ 1024 | ENUM restriction |<>--{0..1}--[ ThreatActorID ] 1025 | STRING ext-restriction |<>--{0..*}--[ Description ] 1026 | |<>--{0..*}--[ AdditionalData ] 1027 +------------------------+ 1029 Figure 7: ThreatActor Class 1031 The aggregate classes that constitutes ThreatActor are: 1033 ThreatActorID 1034 One or more. STRING. An identifier for the ThreatActor. 1036 Description 1037 One or more. ML_STRING. A description of the ThreatActor. 1039 AdditionalData 1040 Zero or more. A mechanism by which to extend the data model. 1042 ThreatActor MUST have at least one instance of a ThreatActorID or 1043 Description. 1045 The ThreatActor class has two attributes: 1047 restriction 1048 Optional. ENUM. See Section 3.3.1. 1050 ext-restriction 1051 Optional. STRING. A means by which to extend the restriction 1052 attribute. See Section 5.1.1. 1054 3.8. Campaign Class 1056 The Campaign class describes a campaign of attacks by a threat actor. 1058 +------------------------+ 1059 | Campaign | 1060 +------------------------+ 1061 | ENUM restriction |<>--{0..1}--[ CampaignID ] 1062 | STRING ext-restriction |<>--{0..*}--[ Description ] 1063 | |<>--{0..*}--[ AdditionalData ] 1064 +------------------------+ 1066 Figure 8: Campaign Class 1068 The aggregate classes that constitutes Campaign are: 1070 CampaignID 1071 One or more. STRING. An identifier for the Campaign. 1073 Description 1074 One or more. ML_STRING. A description of the Campaign. 1076 AdditionalData 1077 Zero or more. A mechanism by which to extend the data model. 1079 Campaign MUST have at least one instance of a Campaign or 1080 Description. 1082 The Campaign class has two attributes: 1084 restriction 1085 Optional. ENUM. See Section 3.3.1. 1087 ext-restriction 1088 Optional. STRING. A means by which to extend the restriction 1089 attribute. See Section 5.1.1. 1091 3.9. AdditionalData Class 1093 The AdditionalData class serves as an extension mechanism for 1094 information not otherwise represented in the data model. For 1095 relatively simple information, atomic data types (e.g., integers, 1096 strings) are provided with a mechanism to annotate their meaning. 1097 The class can also be used to extend the data model (and the 1098 associated Schema) to support proprietary extensions by encapsulating 1099 entire XML documents conforming to another Schema. A detailed 1100 discussion for extending the data model and the schema can be found 1101 in Section 5. 1103 Unlike XML, which is self-describing, atomic data must be documented 1104 to convey its meaning. This information is described in the 1105 'meaning' attribute. Since these description are outside the scope 1106 of the specification, some additional coordination may be required to 1107 ensure that a recipient of a document using the AdditionalData 1108 classes can make sense of the custom extensions. 1110 +------------------------+ 1111 | AdditionalData | 1112 +------------------------+ 1113 | ANY | 1114 | | 1115 | ENUM dtype | 1116 | STRING ext-dtype | 1117 | STRING meaning | 1118 | STRING formatid | 1119 | ENUM restriction | 1120 | STRING ext-restriction | 1121 +------------------------+ 1123 Figure 9: The AdditionalData Class 1125 The AdditionalData class has six attributes: 1127 dtype 1128 Required. ENUM. The data type of the element content. The 1129 permitted values for this attribute are shown below. The default 1130 value is "string". These values are maintained in the 1131 "AdditionalData-dtype" IANA registry per Table 1. 1133 1. boolean. The element content is of type BOOLEAN. 1135 2. byte. The element content is of type BYTE. 1137 3. bytes. The element content is of type HEXBIN. 1139 4. character. The element content is of type CHARACTER. 1141 5. date-time. The element content is of type DATETIME. 1143 6. ntpstamp. Same as date-time. 1145 7. integer. The element content is of type INTEGER. 1147 8. portlist. The element content is of type PORTLIST. 1149 9. real. The element content is of type REAL. 1151 10. string. The element content is of type STRING. 1153 11. file. The element content is a base64 encoded binary file 1154 encoded as a BYTE[] type. 1156 12. path. The element content is a file-system path encoded as a 1157 STRING type. 1159 13. frame. The element content is a layer-2 frame encoded as a 1160 HEXBIN type. 1162 14. packet. The element content is a layer-3 packet encoded as a 1163 HEXBIN type. 1165 15. ipv4-packet. The element content is an IPv4 packet encoded 1166 as a HEXBIN type. 1168 16. ipv6-packet. The element content is an IPv6 packet encoded 1169 as a HEXBIN type. 1171 17. url. The element content is of type URL. 1173 18. csv. The element content is a common separated value (CSV) 1174 list per Section 2 of [RFC4180] encoded as a STRING type. 1176 19. winreg. The element content is a Windows registry key 1177 encoded as a STRING type. 1179 20. xml. The element content is XML. See Section 5. 1181 21. ext-value. An escape value used to extend this attribute. 1182 See Section 5.1.1. 1184 ext-dtype 1185 Optional. STRING. A means by which to extend the dtype 1186 attribute. See Section 5.1.1. 1188 meaning 1189 Optional. STRING. A free-form description of the element 1190 content. 1192 formatid 1193 Optional. STRING. An identifier referencing the format and 1194 semantics of the element content. 1196 restriction 1197 Optional. ENUM. See Section 3.3.1. 1199 ext-restriction 1200 Optional. STRING. A means by which to extend the restriction 1201 attribute. See Section 5.1.1. 1203 3.10. Contact Class 1205 The Contact class describes contact information for organizations and 1206 personnel involved in the incident. This class allows for the naming 1207 of the involved party, specifying contact information for them, and 1208 identifying their role in the incident. 1210 People and organizations are treated interchangeably as contacts; one 1211 can be associated with the other using the recursive definition of 1212 the class (the Contact class is aggregated into the Contact class). 1213 The 'type' attribute disambiguates the type of contact information 1214 being provided. 1216 The inheriting definition of Contact provides a way to relate 1217 information without requiring the explicit use of identifiers in the 1218 classes or duplication of data. A complete point of contact is 1219 derived by a particular traversal from the root Contact class to the 1220 leaf Contact class. As such, multiple points of contact might be 1221 specified in a single instance of a Contact class. Each child 1222 Contact class logically inherits contact information from its 1223 ancestors. 1225 +------------------------+ 1226 | Contact | 1227 +------------------------+ 1228 | ENUM role |<>--{0..*}--[ ContactName ] 1229 | STRING ext-role |<>--{0..*}--[ ContactTitle ] 1230 | ENUM type |<>--{0..*}--[ Description ] 1231 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1232 | ENUM restriction |<>--{0..1}--[ PostalAddress ] 1233 | STRING ext-restriction |<>--{0..*}--[ Email ] 1234 | |<>--{0..*}--[ Telephone ] 1235 | |<>--{0..1}--[ Fax ] 1236 | |<>--{0..1}--[ Timezone ] 1237 | |<>--{0..*}--[ Contact ] 1238 | |<>--{0..*}--[ AdditionalData ] 1239 +------------------------+ 1241 Figure 10: The Contact Class 1243 The aggregate classes that constitute the Contact class are: 1245 ContactName 1246 Zero or more. ML_STRING. The name of the contact. The contact 1247 may either be an organization or a person. The type attribute 1248 disambiguates the semantics. 1250 ContactTitle 1251 Zero or more. ML_STRING. The title for the individual named in 1252 the ContactName. 1254 Description 1255 Zero or more. ML_STRING. A free-form description of this 1256 contact. In the case of a person, this is often the 1257 organizational title of the individual. 1259 RegistryHandle 1260 Zero or more. A handle name into the registry of the contact. 1262 PostalAddress 1263 Zero or one. The postal address of the contact. 1265 Email 1266 Zero or more. The email address of the contact. 1268 Telephone 1269 Zero or more. The telephone number of the contact. 1271 Fax 1272 Zero or one. The facsimile telephone number of the contact. 1274 Timezone 1275 Zero or one. TIMEZONE. The timezone in which the contact resides 1276 formatted according to Section 2.9. 1278 Contact 1279 Zero or more. A Contact instance contained within another Contact 1280 instance inherits the values of the parent(s). This recursive 1281 definition can be used to group common data pertaining to multiple 1282 points of contact and is especially useful when listing multiple 1283 contacts at the same organization. 1285 AdditionalData 1286 Zero or more. A mechanism by which to extend the data model. 1288 At least one of the aggregate classes MUST be present in an instance 1289 of the Contact class. This is not enforced in the IODEF schema as 1290 there is no simple way to accomplish it. 1292 The Contact class has six attributes: 1294 role 1295 Required. ENUM. Indicates the role the contact fulfills. This 1296 attribute is defined as an enumerated list. These values are 1297 maintained in the "Contact-role" IANA registry per Table 1. 1299 1. creator. The entity that generate the document. 1301 2. reporter. The entity that reported the information. 1303 3. admin. An administrative contact or business owner for an 1304 asset or organization. 1306 4. tech. An entity responsible for the day-to-day management of 1307 technical issues for an asset or organization. 1309 5. provider. An external hosting provider for an asset. 1311 6. zone. An entity with authority over a DNS zone. 1313 7. user. An end-user of an asset or part of an organization. 1315 8. billing. An entity responsible for billing issues for an 1316 asset or organization. 1318 9. legal. An entity responsible for legal issue related to an 1319 asset or organization. 1321 10. irt. An entity responsible for handling security issues for 1322 an asset or organization. 1324 11. abuse. An entity responsible for handling abuse originating 1325 from an asset or organization. 1327 12. cc. An entity that is to be kept informed about the events 1328 related to an asset or organization. 1330 13. cc-irt. A CSIRT or information sharing organization 1331 coordinating activity related to an asset or organization. 1333 14. leo. A law enforcement organization supporting the 1334 investigation of activity affecting an asset or organization. 1336 15. vendor. The vendor that produces an asset. 1338 16. vendor-support. A vendor that provides services. 1340 17. victim. A victim in the incident. 1342 18. victim-notified. A victim in the incident who has been 1343 notified. 1345 19. ext-value. An escape value used to extend this attribute. 1346 See Section 5.1.1. 1348 ext-role 1349 Optional. STRING. A means by which to extend the role attribute. 1350 See Section 5.1.1. 1352 type 1353 Required. ENUM. Indicates the type of contact being described. 1354 This attribute is defined as an enumerated list. These values are 1355 maintained in the "Contact-type" IANA registry per Table 1. 1357 1. person. The information for this contact references an 1358 individual. 1360 2. organization. The information for this contact references an 1361 organization. 1363 3. ext-value. An escape value used to extend this attribute. 1364 See Section 5.1.1. 1366 ext-type 1367 Optional. STRING. A means by which to extend the type attribute. 1368 See Section 5.1.1. 1370 restriction 1371 Optional. ENUM. See Section 3.3.1. 1373 ext-restriction 1374 Optional. STRING. A means by which to extend the restriction 1375 attribute. See Section 5.1.1. 1377 3.10.1. RegistryHandle Class 1379 The RegistryHandle class represents a handle into an Internet 1380 registry or community-specific database. The handle is specified in 1381 the element content and the type attribute specifies the database. 1383 +---------------------+ 1384 | RegistryHandle | 1385 +---------------------+ 1386 | STRING | 1387 | | 1388 | ENUM registry | 1389 | STRING ext-registry | 1390 +---------------------+ 1392 Figure 11: The RegistryHandle Class 1394 The RegistryHandle class has two attributes: 1396 registry 1397 Required. ENUM. The database to which the handle belongs. These 1398 values are maintained in the "RegistryHandle-registry" IANA 1399 registry per Table 1. The possible values are: 1401 1. internic. Internet Network Information Center 1403 2. apnic. Asia Pacific Network Information Center 1405 3. arin. American Registry for Internet Numbers 1407 4. lacnic. Latin-American and Caribbean IP Address Registry 1409 5. ripe. Reseaux IP Europeens 1411 6. afrinic. African Internet Numbers Registry 1413 7. local. A database local to the CSIRT 1415 8. ext-value. An escape value used to extend this attribute. 1416 See Section 5.1.1. 1418 ext-registry 1419 Optional. STRING. A means by which to extend the registry 1420 attribute. See Section 5.1.1. 1422 3.10.2. PostalAddress Class 1424 The PostalAddress class specifies a postal address formatted 1425 according to the POSTAL data type (Section 2.11). 1427 +---------------------+ 1428 | PostalAddress | 1429 +---------------------+ 1430 | POSTAL | 1431 | | 1432 | STRING meaning | 1433 | ENUM xml:lang | 1434 +---------------------+ 1436 Figure 12: The PostalAddress Class 1438 The PostalAddress class has two attributes: 1440 meaning 1441 Optional. STRING. A free-form description of the element 1442 content. 1444 xml:lang 1445 Optional. ENUM. A language identifier per Section 2.12 of 1446 [W3C.XML] whose values and form are described in [RFC5646]. The 1447 interpretation of this code is described in Section 6. 1449 3.10.3. Email Class 1451 The Email class specifies an email address formatted according to 1452 EMAIL data type (Section 2.14). 1454 +--------------+ 1455 | Email | 1456 +--------------+ 1457 | EMAIL | 1458 | | 1459 | ENUM meaning | 1460 +--------------+ 1462 Figure 13: The Email Class 1464 The Email class has one attribute: 1466 meaning 1467 Optional. ENUM. A free-form description of the element content. 1469 3.10.4. Telephone and Fax Classes 1471 The Telephone and Fax classes specify a voice or fax telephone number 1472 respectively, and are formatted according to PHONE data type 1473 (Section 2.13). 1475 +--------------------+ 1476 | {Telephone | Fax } | 1477 +--------------------+ 1478 | PHONE | 1479 | | 1480 | ENUM meaning | 1481 +--------------------+ 1483 Figure 14: The Telephone and Fax Classes 1485 The Telephone class has one attribute: 1487 meaning 1488 Optional. ENUM. A free-form description of the element content 1489 (e.g., hours of coverage for a given number). 1491 3.11. Time Classes 1493 The data model uses six different classes to represent a timestamp. 1494 Their definition is identical, but each has a distinct name to convey 1495 a difference in semantics. 1497 The element content of each class is a timestamp formatted according 1498 to the DATETIME data type (see Section 2.8). 1500 +-----------------+ 1501 | StartTime | 1502 | EndTime | 1503 | ReportTime | 1504 | DetectTime | 1505 | GenerationTime | 1506 | DateTime | 1507 +-----------------+ 1508 | DATETIME | 1509 +-----------------+ 1511 Figure 15: The Time Classes 1513 3.11.1. StartTime Class 1515 The StartTime class represents the time the incident began. 1517 3.11.2. EndTime Class 1519 The EndTime class represents the time the incident ended. 1521 3.11.3. DetectTime Class 1523 The DetectTime class represents the time the first activity of the 1524 incident was detected. 1526 3.11.4. ReportTime Class 1528 The ReportTime class represents the time the incident was reported. 1530 3.11.5. GenerationTime Class 1532 The GenerationTime class represents the time when the IODEF document 1533 was produced. This timestamp MUST be the time at which the IODEF 1534 document was generated. 1536 3.11.6. DateTime 1538 The DateTime class is a generic representation of a timestamp. Infer 1539 its semantics from the parent class in which it is aggregated. 1541 3.12. Discovery Class 1543 The Discovery class describes how an incident was detected. 1545 +------------------------+ 1546 | Discovery | 1547 +------------------------+ 1548 | ENUM source |<>--{0..*}--[ Description ] 1549 | STRING ext-source |<>--{0..*}--[ Contact ] 1550 | ENUM restriction |<>--{0..*}--[ DetectionPattern ] 1551 | STRING ext-restriction | 1552 +------------------------+ 1554 Figure 16: The Discovery Class 1556 The Discovery class is composed of three aggregate classes. 1558 Description 1559 Zero or more. ML_STRING. A free-form text description of how 1560 this incident was detected. 1562 Contact 1563 Zero or more. Contact information for the party that discovered 1564 the incident. 1566 DetectionPattern 1567 Zero or more. Describes an application-specific configuration 1568 that detected the incident. 1570 The Discovery class has four attribute: 1572 source 1573 Optional. ENUM. Categorizes the techniques used to discover the 1574 incident. These values are partially derived from Table 3-1 of 1575 [NIST800.61rev2]. These values are maintained in the "Discovery- 1576 source" IANA registry per Table 1. 1578 1. nidps. Network Intrusion Detection or Prevention system. 1580 2. hips. Host-based Intrusion Prevention system. 1582 3. siem. Security Information and Event Management System. 1584 4. av. Antivirus or and antispam software. 1586 5. third-party-monitoring. Contracted third-party monitoring 1587 service. 1589 6. incident. The activity was discovered while investigating an 1590 unrelated incident. 1592 7. os-log. Operating system logs. 1594 8. application-log. Application logs. 1596 9. device-log. Network device logs. 1598 10. network-flow. Network flow analysis. 1600 11. passive-dns. Passive DNS analysis. 1602 12. investigation. Manual investigation initiated based on 1603 notification of a new vulnerability or exploit. 1605 13. audit. Security audit. 1607 14. internal-notification. A party within the organization 1608 reported the activity 1610 15. external-notification. A party outside of the organization 1611 reported the activity. 1613 16. leo. A law enforcement organization notified the victim 1614 organization. 1616 17. partner. A customer or business partner reported the 1617 activity to the victim organization. 1619 18. actor. The threat actor directly or indirectly reported this 1620 activity to the victim organization. 1622 19. unknown. Unknown detection approach. 1624 20. ext-value. An escape value used to extend this attribute. 1625 See Section 5.1.1. 1627 ext-source 1628 Optional. STRING. A means by which to extend the source 1629 attribute. See Section 5.1.1. 1631 restriction 1632 Optional. ENUM. See Section 3.3.1. 1634 ext-restriction 1635 Optional. STRING. A means by which to extend the restriction 1636 attribute. See Section 5.1.1. 1638 3.12.1. DetectionPattern Class 1640 The DetectionPattern class describes a configuration or signature 1641 that can be used by an IDS/IPS, SIEM, anti-virus, end-point 1642 protection, network analysis, malware analysis, or host forensics 1643 tool to identify a particular phenomenon. This class requires the 1644 identification of the target application and allows the configuration 1645 to be describes in either free-form or machine readable form. 1647 +------------------------+ 1648 | DetectionPattern | 1649 +------------------------+ 1650 | ENUM restriction |<>----------[ Application ] 1651 | STRING ext-restriction |<>--{0..*}--[ Description ] 1652 | |<>--{0..*}--[ DetectionConfiguration ] 1653 +------------------------+ 1655 Figure 17: The DetectionPattern Class 1657 The DetectionPattern class is composed of three aggregate classes. 1659 Application 1660 . One. The application for which the DetectionConfiguration or 1661 Description is being provided. 1663 Description 1664 Zero or more. ML_STRING. A free-form text description of how to 1665 use the Application or provided DetectionConfiguration. 1667 DetectionConfiguration 1668 Zero or more. STRING. A machine consumable configuration to find 1669 a pattern of activity. 1671 Either an instance of the Description or DetectionConfiguration class 1672 MUST be present. 1674 The DetectionPattern class has two attributes: 1676 restriction 1677 Optional. ENUM. See Section 3.3.1. 1679 ext-restriction 1680 Optional. STRING. A means by which to extend the restriction 1681 attribute. See Section 5.1.1. 1683 3.13. Method Class 1685 The Method class describes the tactics, techniques, or procedures 1686 used by the intruder in the incident. This class consists of both a 1687 list of references describing the attack method and a free form 1688 description. 1690 +------------------------+ 1691 | Method | 1692 +------------------------+ 1693 | ENUM restriction |<>--{0..*}--[ Reference ] 1694 | STRING ext-restriction |<>--{0..*}--[ Description ] 1695 | |<>--{0..*}--[ AdditionalData ] 1696 +------------------------+ 1698 Figure 18: The Method Class 1700 The Method class is composed of three aggregate classes. 1702 enum:Reference 1703 Zero or more. A reference to a vulnerability, malware sample, 1704 advisory, or analysis of an attack technique. 1706 Description 1707 Zero or more. ML_STRING. A free-form text description of 1708 techniques, tactics, or procedures used by the intruder. 1710 AdditionalData 1711 Zero or more. A mechanism by which to extend the data model. 1713 Either an instance of the Reference or Description class MUST be 1714 present. 1716 The Method class has two attributes: 1718 restriction 1719 Optional. ENUM. See Section 3.3.1. 1721 ext-restriction 1722 Optional. STRING. A means by which to extend the restriction 1723 attribute. See Section 5.1.1. 1725 3.13.1. Reference Class 1727 The Reference class is an external reference to relevant information 1728 such a vulnerability, IDS alert, malware sample, advisory, or attack 1729 technique. A reference consists of a name, a URL to this reference, 1730 and an optional description. 1732 +-------------------------+ 1733 | Reference | 1734 +-------------------------+ 1735 | ID observable-id |<>--{0..1}--[ enum:ReferenceName ] 1736 | |<>--{0..*}--[ URL ] 1737 | |<>--{0..*}--[ Description ] 1738 +-------------------------+ 1740 Figure 19: The Reference Class 1742 The aggregate classes that constitute Reference: 1744 ReferenceName 1745 Zero or one. Reference identifier per [RFC-ENUM]. 1747 URL 1748 Zero or more. URL. A URL associated with the reference. 1750 Description 1751 Zero or more. ML_STRING. A free-form text description of this 1752 reference. 1754 At least one of these classes MUST be present. 1756 The Reference class has one attribute. 1758 observable-id 1759 Optional. ID. See Section 3.3.2. 1761 3.14. Assessment Class 1763 The Assessment class describes the repercussions of the incident to 1764 the victim. 1766 +-------------------------+ 1767 | Assessment | 1768 +-------------------------+ 1769 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ] 1770 | ENUM restriction |<>--{0..*}--[ SystemImpact ] 1771 | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ] 1772 | ID observable-id |<>--{0..*}--[ TimeImpact ] 1773 | |<>--{0..*}--[ MonetaryImpact ] 1774 | |<>--{0..*}--[ IntendedImpact ] 1775 | |<>--{0..*}--[ Counter ] 1776 | |<>--{0..*}--[ MitigatingFactor ] 1777 | |<>--{0..1}--[ Confidence ] 1778 | |<>--{0..*}--[ AdditionalData ] 1779 +-------------------------+ 1781 Figure 20: Assessment Class 1783 The aggregate classes that constitute Assessment are: 1785 IncidentCategory 1786 Zero or more. ML_STRING. A free-form text description 1787 categorizing the type of Incident. 1789 SystemImpact 1790 Zero or more. Technical characterization of the impact of the 1791 activity on the victim's enterprise. 1793 BusinessImpact 1794 Zero or more. Impact of the activity on the business functions of 1795 the victim organization. 1797 TimeImpact 1798 Zero or more. Impact of the activity measured with respect to 1799 time. 1801 MonetaryImpact 1802 Zero or more. Impact of the activity measured with respect to 1803 financial loss. 1805 IntendedImpact 1806 Zero or more. Intended impact to the victim by the attacker. 1807 Identically defined as Section 3.14.2 but describes intent rather 1808 than the realized impact. 1810 Counter 1811 Zero or more. A counter with which to summarize the magnitude of 1812 the activity. 1814 MitigatingFactor 1815 Zero or one. ML_STRING. A description of a mitigating factor an 1816 impact. 1818 Confidence 1819 Zero or one. An estimate of confidence in the assessment. 1821 AdditionalData 1822 Zero or more. A mechanism by which to extend the data model. 1824 A least one instance of the possible three impact classes (i.e., 1825 Impact, TimeImpact, or MonetaryImpact) MUST be present. 1827 The Assessment class has four attributes: 1829 occurrence 1830 Optional. ENUM. Specifies whether the assessment is describing 1831 actual or potential outcomes. 1833 1. actual. This assessment describes activity that has occurred. 1835 2. potential. This assessment describes potential activity that 1836 might occur. 1838 restriction 1839 Optional. ENUM. See Section 3.3.1. 1841 ext-restriction 1842 Optional. STRING. A means by which to extend the restriction 1843 attribute. See Section 5.1.1. 1845 observable-id 1846 Optional. ID. See Section 3.3.2. 1848 3.14.1. SystemImpact Class 1850 The SystemImpact class describes the technical impact of the incident 1851 to the systems on the network. 1853 This class is based on [RFC4765]. 1855 +-----------------------+ 1856 | SystemImpact | 1857 +-----------------------+ 1858 | ML_STRING | 1859 | | 1860 | ENUM xml:lang | 1861 | STRING translation-id | 1862 | ENUM severity | 1863 | ENUM completion | 1864 | ENUM type | 1865 | STRING ext-type | 1866 +-----------------------+ 1868 Figure 21: SystemImpact Class 1870 The element content will be a free-form textual description of the 1871 impact. 1873 The SystemImpact class has six attributes: 1875 xml:lang 1876 Optional. ENUM. A language identifier. See Section 6. 1878 translation-id 1879 Optional. STRING. An identifier to relate other instances of 1880 this class as translations of this text. See Section 6. 1882 severity 1883 Optional. ENUM. An estimate of the relative severity of the 1884 activity. The permitted values are shown below. There is no 1885 default value. 1887 1. low. Low severity 1889 2. medium. Medium severity 1891 3. high. High severity 1893 completion 1894 Optional. ENUM. An indication whether the described activity was 1895 successful. The permitted values are shown below. There is no 1896 default value. 1898 1. failed. The attempted activity was not successful. 1900 2. succeeded. The attempted activity succeeded. 1902 type 1903 Required. ENUM. Classifies the impact. The permitted values are 1904 shown below. The default value is "unknown". These values are 1905 maintained in the "SystemImpact-type" IANA registry per Table 1. 1907 1. takeover-account. Control was taken of a given account 1908 (e.g., a social media account). 1910 2. takeover-service. Control was taken of a given service. 1912 3. takeover-system. Control was taken of a given system. 1914 4. cps-manipulation. A cyber physical system was manipulated. 1916 5. cps-damage. A cyber physical system was damaged. 1918 6. availability-data. Access to particular data was degraded or 1919 denied. 1921 7. availability-account. Access to an account was degraded or 1922 denied. 1924 8. availability-service. Access to a service was degraded or 1925 denied. 1927 9. availability-system. Access to a system was degraded or 1928 denied. 1930 10. damaged-system. Hardware on a system was irreparably 1931 damaged. 1933 11. damaged-data. Data on a system was deleted. 1935 12. breach-proprietary. Sensitive or proprietary information was 1936 accessed or exfiltrated. 1938 13. breach-privacy. Personally identifiable information was 1939 accessed or exfiltrated. 1941 14. breach-credential. Credential information was accessed or 1942 exfiltrated. 1944 15. breach-configuration. System configuration or data inventory 1945 was access or exfiltrated. 1947 16. integrity-data. Data on the system was modified. 1949 17. integrity-configuration. Application or system configuration 1950 was modified. 1952 18. integrity-hardware. Firmware of a hardware component was 1953 modified. 1955 19. traffic-redirection. Network traffic on the system was 1956 redirected 1958 20. monitoring-traffic. Network traffic emerging from a host was 1959 monitored. 1961 21. monitoring-host. System activity (e.g., running processes, 1962 keystrokes) were monitored. 1964 22. policy. Activity violated the system owner's acceptable use 1965 policy. 1967 23. unknown. The impact is unknown. 1969 24. ext-value. An escape value used to extend this attribute. 1970 See Section 5.1.1. 1972 ext-type 1973 Optional. STRING. A means by which to extend the type attribute. 1974 See Section 5.1.1. 1976 3.14.2. BusinessImpact Class 1978 The BusinessImpact class describes and characterizes the degree to 1979 which the function of the organization was impacted by the Incident. 1981 The element body describes the impact to the organization as a free- 1982 form text string. The two attributes characterize the impact. 1984 +-------------------------+ 1985 | BusinessImpact | 1986 +-------------------------+ 1987 | ML_STRING | 1988 | | 1989 | ENUM xml:lang | 1990 | STRING translation-id | 1991 | ENUM severity | 1992 | STRING ext-severity | 1993 | ENUM type | 1994 | STRING ext-type | 1995 +-------------------------+ 1997 Figure 22: BusinessImpact Class 1999 The element content will be a free-form textual description of the 2000 impact to the organization. 2002 The BusinessImpact class has four attributes: 2004 xml:lang 2005 Optional. ENUM. A language identifier. See Section 6. 2007 translation-id 2008 Optional. STRING. An identifier to relate other instances of 2009 this class as translations of this text. See Section 6. 2011 severity 2012 Optional. ENUM. Characterizes the severity of the incident on 2013 business functions. The permitted values are shown below. They 2014 were derived from Table 3-2 of [NIST800.61rev2]. The default 2015 value is "unknown". These values are maintained in the 2016 "BusinessImpact-severity" IANA registry per Table 1. 2018 1. none. No effect to the organization's ability to provide all 2019 services to all users. 2021 2. low. Minimal effect as the organization can still provide all 2022 critical services to all users but has lost efficiency. 2024 3. medium. The organization has lost the ability to provide a 2025 critical service to a subset of system users. 2027 4. high. The organization is no longer able to provide some 2028 critical services to any users. 2030 5. unknown. The impact is not known. 2032 6. ext-value. An escape value used to extend this attribute. 2033 See Section 5.1.1. 2035 ext-severity 2036 Optional. STRING. A means by which to extend the severity 2037 attribute. See Section 5.1.1. 2039 type 2040 Required. ENUM. Characterizes the effect this incident had on 2041 the business. The permitted values are shown below. There is no 2042 default value. These values are maintained in the 2043 "BusinessImpact-type" IANA registry per Table 1. 2045 1. breach-proprietary. Sensitive or proprietary information was 2046 accessed or exfiltrated. 2048 2. breach-privacy. Personally identifiable information was 2049 accessed or exfiltrated. 2051 3. breach-credential. Credential information was accessed or 2052 exfiltrated. 2054 4. loss-of-integrity. Sensitive or proprietary information was 2055 changed or deleted. 2057 5. loss-of-service. Service delivery was disrupted. 2059 6. theft-financial. Money was stolen. 2061 7. theft-service. Services were misappropriated. 2063 8. degraded-reputation. The reputation of the organization's 2064 brand was diminished. 2066 9. asset-damage. A cyber-physical system was damaged. 2068 10. asset-manipulation. A cyber-physical system was manipulated. 2070 11. legal. The incident resulted in legal or regulatory action. 2072 12. extortion. The incident resulted in actors extorting the 2073 victim organization. 2075 13. ext-value. An escape value used to extend this attribute. 2076 See Section 5.1.1. 2078 ext-type 2079 Optional. STRING. A means by which to extend the type attribute. 2080 See Section 5.1.1. 2082 3.14.3. TimeImpact Class 2084 The TimeImpact class describes the impact of the incident on an 2085 organization as a function of time. It provides a way to convey down 2086 time and recovery time. 2088 +---------------------+ 2089 | TimeImpact | 2090 +---------------------+ 2091 | REAL | 2092 | | 2093 | ENUM severity | 2094 | ENUM metric | 2095 | STRING ext-metrics | 2096 | ENUM duration | 2097 | STRING ext-duration | 2098 +---------------------+ 2100 Figure 23: TimeImpact Class 2102 The element content is a positive, floating point (REAL) number 2103 specifying a unit of time. The duration and metric attributes will 2104 imply the semantics of the element content. 2106 The TimeImpact class has five attributes: 2108 severity 2109 Optional. ENUM. An estimate of the relative severity of the 2110 activity. The permitted values are shown below. There is no 2111 default value. 2113 1. low. Low severity 2115 2. medium. Medium severity 2117 3. high. High severity 2119 metric 2120 Required. ENUM. Defines the metric in which the time is 2121 expressed. The permitted values are shown below. There is no 2122 default value. These values are maintained in the "TimeImpact- 2123 metric" IANA registry per Table 1. 2125 1. labor. Total staff-time to recovery from the activity (e.g., 2126 2 employees working 4 hours each would be 8 hours). 2128 2. elapsed. Elapsed time from the beginning of the recovery to 2129 its completion (i.e., wall-clock time). 2131 3. downtime. Duration of time for which some provided service(s) 2132 was not available. 2134 4. ext-value. An escape value used to extend this attribute. 2135 See Section 5.1.1. 2137 ext-metric 2138 Optional. STRING. A means by which to extend the metric 2139 attribute. See Section 5.1.1. 2141 duration 2142 Optional. ENUM. Defines a unit of time, that when combined with 2143 the metric attribute, fully describes a metric of impact that will 2144 be conveyed in the element content. The permitted values are 2145 shown below. The default value is "hour". These values are 2146 maintained in the "TimeImpact-duration" IANA registry per Table 1. 2148 1. second. The unit of the element content is seconds. 2150 2. minute. The unit of the element content is minutes. 2152 3. hour. The unit of the element content is hours. 2154 4. day. The unit of the element content is days. 2156 5. month. The unit of the element content is months. 2158 6. quarter. The unit of the element content is quarters. 2160 7. year. The unit of the element content is years. 2162 8. ext-value. An escape value used to extend this attribute. 2163 See Section 5.1.1. 2165 ext-duration 2166 Optional. STRING. A means by which to extend the duration 2167 attribute. See Section 5.1.1. 2169 3.14.4. MonetaryImpact Class 2171 The MonetaryImpact class describes the financial impact of the 2172 activity on an organization. For example, this impact may consider 2173 losses due to the cost of the investigation or recovery, diminished 2174 productivity of the staff, or a tarnished reputation that will affect 2175 future opportunities. 2177 +------------------+ 2178 | MonetaryImpact | 2179 +------------------+ 2180 | REAL | 2181 | | 2182 | ENUM severity | 2183 | STRING currency | 2184 +------------------+ 2186 Figure 24: MonetaryImpact Class 2188 The element content is a positive, floating point number (REAL) 2189 specifying a unit of currency described in the currency attribute. 2191 The MonetaryImpact class has two attributes: 2193 severity 2194 Optional. ENUM. An estimate of the relative severity of the 2195 activity. The permitted values are shown below. There is no 2196 default value. 2198 1. low. Low severity 2200 2. medium. Medium severity 2202 3. high. High severity 2204 currency 2205 Optional. STRING. Defines the currency in which the monetary 2206 impact is expressed. The permitted values are defined in "Codes 2207 for the representation of currencies and funds" of [ISO4217]. 2208 There is no default value. 2210 3.14.5. Confidence Class 2212 The Confidence class represents a best estimate of the validity and 2213 accuracy of the described impact (see Section 3.14) of the incident 2214 activity. This estimate can be expressed as a category or a numeric 2215 calculation. 2217 This class if based upon [RFC4765]. 2219 +------------------+ 2220 | Confidence | 2221 +------------------+ 2222 | REAL | 2223 | | 2224 | ENUM rating | 2225 +------------------+ 2227 Figure 25: Confidence Class 2229 The element content expresses a numerical assessment in the 2230 confidence of the data when the value of the rating attribute is 2231 "numeric". Otherwise, this element MUST be empty. 2233 The Confidence class has one attribute. 2235 rating 2236 Required. ENUM. A rating of the analytical validity of the 2237 specified Assessment. The permitted values are shown below. 2238 There is no default value. 2240 1. low. Low confidence in the validity. 2242 2. medium. Medium confidence in the validity. 2244 3. high. High confidence in the validity. 2246 4. numeric. The element content contains a number that conveys 2247 the confidence of the data. The semantics of this number 2248 outside the scope of this specification. 2250 5. unknown. The confidence rating value is not known. 2252 3.15. History Class 2254 The History class is a log of the significant events or actions 2255 performed by the involved parties during the course of handling the 2256 incident. 2258 The level of detail maintained in this log is left up to the 2259 discretion of those handling the incident. 2261 +------------------------+ 2262 | History | 2263 +------------------------+ 2264 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 2265 | STRING ext-restriction | 2266 +------------------------+ 2268 Figure 26: The History Class 2270 The class that constitutes History is: 2272 HistoryItem 2273 One or many. Entry in the history log of significant events or 2274 actions performed by the involved parties. 2276 The History class has two attributes: 2278 restriction 2279 Optional. ENUM. See Section 3.3.1. The default value is 2280 "default". 2282 ext-restriction 2283 Optional. STRING. A means by which to extend the restriction 2284 attribute. See Section 5.1.1. 2286 3.15.1. HistoryItem Class 2288 The HistoryItem class is an entry in the History (Section 3.15) log 2289 that documents a particular action or event that occurred in the 2290 course of handling the incident. The details of the entry are a 2291 free-form description, but each can be categorized with the type 2292 attribute. 2294 +-------------------------+ 2295 | HistoryItem | 2296 +-------------------------+ 2297 | ENUM restriction |<>----------[ DateTime ] 2298 | STRING ext-restriction |<>--{0..1}--[ IncidentId ] 2299 | ENUM action |<>--{0..1}--[ Contact ] 2300 | STRING ext-action |<>--{0..*}--[ Description ] 2301 | ID observable-id |<>--{0..*}--[ DefinedCOA ] 2302 | |<>--{0..*}--[ AdditionalData ] 2303 +-------------------------+ 2305 Figure 27: HistoryItem Class 2307 The aggregate classes that constitute HistoryItem are: 2309 DateTime 2310 One. Timestamp of this entry in the history log (e.g., when the 2311 action described in the Description was taken). 2313 IncidentID 2314 Zero or One. In a history log created by multiple parties, the 2315 IncidentID provides a mechanism to specify which CSIRT created a 2316 particular entry and references this organization's incident 2317 tracking number. When a single organization is maintaining the 2318 log, this class can be ignored. 2320 Contact 2321 Zero or One. Provides contact information for the person that 2322 performed the action documented in this class. 2324 Description 2325 Zero or more. ML_STRING. A free-form textual description of the 2326 action or event. 2328 DefinedCOA 2329 Zero or more. ML_STRING. A unique identifier meaningful to the 2330 sender and recipient of this document that references a course of 2331 action. This class MUST be present if the action attribute is set 2332 to "defined-coa". 2334 AdditionalData 2335 Zero or more. A mechanism by which to extend the data model. 2337 The HistoryItem class has five attributes: 2339 restriction 2340 Optional. ENUM. See Section 3.3.1. 2342 ext-restriction 2343 Optional. STRING. A means by which to extend the restriction 2344 attribute. See Section 5.1.1. 2346 action 2347 Required. ENUM. Classifies a performed action or occurrence 2348 documented in this history log entry. As activity will likely 2349 have been instigated either through a previously conveyed 2350 expectation or internal investigation, this attribute is identical 2351 to the action attribute of the Expectation class. The difference 2352 is only one of tense. When an action is in this class, it has 2353 been completed. See Section 3.17. 2355 ext-action 2356 Optional. STRING. A means by which to extend the action 2357 attribute. See Section 5.1.1. 2359 observable-id 2360 Optional. ID. See Section 3.3.2. 2362 3.16. EventData Class 2364 The EventData class describes a particular event of the incident for 2365 a given set of hosts or networks. This description includes the 2366 systems from which the activity originated and those targeted, an 2367 assessment of the techniques used by the intruder, the impact of the 2368 activity on the organization, and any forensic evidence discovered. 2370 +-------------------------+ 2371 | EventData | 2372 +-------------------------+ 2373 | ENUM restriction |<>--{0..*}--[ Description ] 2374 | STRING ext-restriction |<>--{0..1}--[ DetectTime ] 2375 | ID observable-id |<>--{0..1}--[ StartTime ] 2376 | |<>--{0..1}--[ EndTime ] 2377 | |<>--{0..1}--[ RecoveryTime ] 2378 | |<>--{0..1}--[ ReportTime ] 2379 | |<>--{0..*}--[ Contact ] 2380 | |<>--{0..*}--[ Discovery ] 2381 | |<>--{0..1}--[ Assessment ] 2382 | |<>--{0..*}--[ Method ] 2383 | |<>--{0..*}--[ Flow ] 2384 | |<>--{0..*}--[ Expectation ] 2385 | |<>--{0..1}--[ Record ] 2386 | |<>--{0..*}--[ EventData ] 2387 | |<>--{0..*}--[ AdditionalData ] 2388 +-------------------------+ 2390 Figure 28: The EventData Class 2392 The aggregate classes that constitute EventData are: 2394 Description 2395 Zero or more. ML_STRING. A free-form textual description of the 2396 event. 2398 DetectTime 2399 Zero or one. The time the event was detected. 2401 StartTime 2402 Zero or one. The time the event started. 2404 EndTime 2405 Zero or one. The time the event ended. 2407 RecoveryTime 2408 Zero or one. The time the site recovered from the event. 2410 ReportTime 2411 One. The time the event was reported. 2413 Contact 2414 Zero or more. Contact information for the parties involved in the 2415 event. 2417 Discovery 2418 Zero or more. The means by which the event was detected. 2420 Assessment 2421 Zero or one. The impact of the event on the target and the 2422 actions taken. 2424 Method 2425 Zero or more. The technique used by the intruder in the event. 2427 Flow 2428 Zero or more. A description of the systems or networks involved. 2430 Expectation 2431 Zero or more. The expected action to be performed by the 2432 recipient for the described event. 2434 Record 2435 Zero or one. Supportive data (e.g., log files) that provides 2436 additional information about the event. 2438 EventData 2439 Zero or more. EventData instances contained within another 2440 EventData instance inherit the values of the parent(s); this 2441 recursive definition can be used to group common data pertaining 2442 to multiple events. When EventData elements are defined 2443 recursively, only the leaf instances (those EventData instances 2444 not containing other EventData instances) represent actual events. 2446 AdditionalData 2447 Zero or more. An extension mechanism for data not explicitly 2448 represented in the data model. 2450 At least one of the aggregate classes MUST be present in an instance 2451 of the EventData class. This is not enforced in the IODEF schema as 2452 there is no simple way to accomplish it. 2454 The EventData class has three attributes: 2456 restriction 2457 Optional. ENUM. See Section 3.3.1. The default value is 2458 "default". 2460 ext-restriction 2461 Optional. STRING. A means by which to extend the restriction 2462 attribute. See Section 5.1.1. 2464 observable-id 2465 Optional. ID. See Section 3.3.2. 2467 3.16.1. Relating the Incident and EventData Classes 2469 There is substantial overlap in the Incident and EventData classes. 2470 Nevertheless, the semantics of these classes are quite different. 2471 The Incident class provides summary information about the entire 2472 incident, while the EventData class provides information about the 2473 individual events comprising the incident. In the most common case, 2474 the EventData class will provide more specific information for the 2475 general description provided in the Incident class. However, it may 2476 also be possible that the overall summarized information about the 2477 incident conflicts with some individual information in an EventData 2478 class when there is a substantial composition of various events in 2479 the incident. In such a case, the interpretation of the more 2480 specific EventData MUST supersede the more generic information 2481 provided in Incident. 2483 3.16.2. Cardinality of EventData 2485 The EventData class can be thought of as a container for the 2486 properties of an event in an incident. These properties include: the 2487 hosts involved, impact of the incident activity on the hosts, 2488 forensic logs, etc. With an instance of the EventData class, hosts 2489 (i.e., System class) are grouped around these common properties. 2491 The recursive definition (or instance property inheritance) of the 2492 EventData class (the EventData class is aggregated into the EventData 2493 class) provides a way to relate information without requiring the 2494 explicit use of unique attribute identifiers in the classes or 2495 duplicating information. Instead, the relative depth (nesting) of a 2496 class is used to group (relate) information. 2498 For example, an EventData class might be used to describe two 2499 machines involved in an incident. This description can be achieved 2500 using multiple instances of the Flow class. It happens that there is 2501 a common technical contact (i.e., Contact class) for these two 2502 machines, but the impact (i.e., Assessment class) on them is 2503 different. A depiction of the representation for this situation can 2504 be found in Figure 29. 2506 +------------------+ 2507 | EventData | 2508 +------------------+ 2509 | |<>----[ Contact ] 2510 | | 2511 | |<>----[ EventData ]<>----[ Flow ] 2512 | | [ ]<>----[ Assessment ] 2513 | | 2514 | |<>----[ EventData ]<>----[ Flow ] 2515 | | [ ]<>----[ Assessment ] 2516 +------------------+ 2518 Figure 29: Recursion in the EventData Class 2520 3.17. Expectation Class 2522 The Expectation class conveys to the recipient of the IODEF document 2523 the actions the sender is requesting. The scope of the requested 2524 action is limited to purview of the EventData class in which this 2525 class is aggregated. 2527 +-------------------------+ 2528 | Expectation | 2529 +-------------------------+ 2530 | ENUM restriction |<>--{0..*}--[ Description ] 2531 | STRING ext-restriction |<>--{0..*}--[ DefinedCOA ] 2532 | ENUM severity |<>--{0..1}--[ StartTime ] 2533 | ENUM action |<>--{0..1}--[ EndTime ] 2534 | STRING ext-action |<>--{0..1}--[ Contact ] 2535 | ID observable-id | 2536 | | 2537 +-------------------------+ 2539 Figure 30: The Expectation Class 2541 The aggregate classes that constitute Expectation are: 2543 Description 2544 Zero or more. ML_STRING. A free-form description of the desired 2545 action(s). 2547 DefinedCOA 2548 Zero or more. ML_STRING. A unique identifier meaningful to the 2549 sender and recipient of this document that references a course of 2550 action. This class MUST be present if the action attribute is set 2551 to "defined-coa". 2553 StartTime 2554 Zero or one. The time at which the sender would like the action 2555 performed. A timestamp that is earlier than the ReportTime 2556 specified in the Incident class denotes that the sender would like 2557 the action performed as soon as possible. The absence of this 2558 element indicates no expectations of when the recipient would like 2559 the action performed. 2561 EndTime 2562 Zero or one. The time by which the sender expects the recipient 2563 to complete the action. If the recipient cannot complete the 2564 action before EndTime, the recipient MUST NOT carry out the 2565 action. Because of transit delays, clock drift, and so on, the 2566 sender MUST be prepared for the recipient to have carried out the 2567 action, even if it completes past EndTime. 2569 Contact 2570 Zero or one. The expected actor for the action. 2572 The Expectations class has six attributes: 2574 restriction 2575 Optional. ENUM. See Section 3.3.1. The default value is 2576 "default". 2578 ext-restriction 2579 Optional. STRING. A means by which to extend the restriction 2580 attribute. See Section 5.1.1. 2582 severity 2583 Optional. ENUM. Indicates the desired priority of the action. 2584 This attribute is an enumerated list with no default value, and 2585 the semantics of these relative measures are context dependent. 2587 1. low. Low priority 2589 2. medium. Medium priority 2591 3. high. High priority 2593 action 2594 Optional. ENUM. Classifies the type of action requested. This 2595 attribute is an enumerated list with a default value of "other". 2596 These values are maintained in the "Expectation-action" IANA 2597 registry per Table 1. 2599 1. nothing. No action is requested. Do nothing with the 2600 information. 2602 2. contact-source-site. Contact the site(s) identified as the 2603 source of the activity. 2605 3. contact-target-site. Contact the site(s) identified as the 2606 target of the activity. 2608 4. contact-sender. Contact the originator of the document. 2610 5. investigate. Investigate the systems(s) listed in the event. 2612 6. block-host. Block traffic from the machine(s) listed as 2613 sources the event. 2615 7. block-network. Block traffic from the network(s) lists as 2616 sources in the event. 2618 8. block-port. Block the port listed as sources in the event. 2620 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2621 listed as sources in the event. 2623 10. rate-limit-network. Rate-limit the traffic from the 2624 network(s) lists as sources in the event. 2626 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2627 the event. 2629 12. redirect-traffic. Redirect traffic from intended recipient 2630 for further analysis. 2632 13. honeypot. Redirect traffic to a honeypot for further 2633 analysis. 2635 14. upgrade-software. Upgrade or patch the software or firmware 2636 on an asset. 2638 15. rebuild-asset. Reinstall the operating system or 2639 applications on an asset. 2641 16. harden-asset. Change the configuration an asset (e.g., 2642 reduce the number of services or user accounts) to reduce the 2643 attack surface. 2645 17. remediate-other. Remediate the activity in a way other than 2646 by rate limiting or blocking. 2648 18. status-triage. Conveys receipts and the triaging of an 2649 incident. 2651 19. status-new-info. Conveys that new information was received 2652 for this incident. 2654 20. watch-and-report. Watch for the described activity and share 2655 if seen. 2657 21. training. Train user to identify or mitigate a threat. 2659 22. defined-coa. Perform a predefined course of action (COA). 2660 The COA is named in the DefinedCOA class. 2662 23. other. Perform some custom action described in the 2663 Description class. 2665 24. ext-value. An escape value used to extend this attribute. 2666 See Section 5.1.1. 2668 ext-action 2669 Optional. STRING. A means by which to extend the action 2670 attribute. See Section 5.1.1. 2672 observable-id 2673 Optional. ID. See Section 3.3.2. 2675 3.18. Flow Class 2677 The Flow class groups related the source and target hosts. 2679 +------------------+ 2680 | Flow | 2681 +------------------+ 2682 | |<>--{1..*}--[ System ] 2683 +------------------+ 2685 Figure 31: The Flow Class 2687 The aggregate class that constitutes Flow is: 2689 System 2690 One or More. A host or network involved in an event. 2692 The Flow class has no attributes. 2694 3.19. System Class 2696 The System class describes a system or network involved in an event. 2697 The systems or networks represented by this class are categorized 2698 according to the role they played in the incident through the 2699 category attribute. The value of this category attribute dictates 2700 the semantics of the aggregated classes in the System class. If the 2701 category attribute has a value of "source", then the aggregated 2702 classes denote the machine and service from which the activity is 2703 originating. With a category attribute value of "target" or 2704 "intermediary", then the machine or service is the one targeted in 2705 the activity. A value of "sensor" dictates that this System was part 2706 of an instrumentation to monitor the network. 2708 +------------------------+ 2709 | System | 2710 +------------------------+ 2711 | ENUM restriction |<>----------[ Node ] 2712 | STRING ext-restriction |<>--{0..*}--[ NodeRole ] 2713 | ENUM category |<>--{0..*}--[ Service ] 2714 | STRING ext-category |<>--{0..*}--[ OperatingSystem ] 2715 | STRING interface |<>--{0..*}--[ Counter ] 2716 | ENUM spoofed |<>--{0..*}--[ AssetID ] 2717 | ENUM virtual |<>--{0..*}--[ Description ] 2718 | ENUM ownership |<>--{0..*}--[ AdditionalData ] 2719 | STRING ext-ownership | 2720 | | 2721 +------------------------+ 2723 Figure 32: The System Class 2725 The aggregate classes that constitute System are: 2727 Node 2728 One. A host or network involved in the incident. 2730 NodeRole 2731 Zero or more. The intended purpose of the system. 2733 Service 2734 Zero or more. A network service running on the system. 2736 OperatingSystem 2737 Zero or more. The operating system running on the system. 2739 Counter 2740 Zero or more. A counter with which to summarize properties of 2741 this host or network. 2743 AssetID 2744 Zero or more. An asset identifier for the System. 2746 Description 2747 Zero or more. ML_STRING. A free-form text description of the 2748 System. 2750 AdditionalData 2751 Zero or more. A mechanism by which to extend the data model. 2753 The System class has nine attributes: 2755 restriction 2756 Optional. ENUM. See Section 3.3.1. 2758 ext-restriction 2759 Optional. STRING. A means by which to extend the restriction 2760 attribute. See Section 5.1.1. 2762 category 2763 Optional. ENUM. Classifies the role the host or network played 2764 in the incident. These values are maintained in the "System- 2765 category" IANA registry per Table 1. The possible values are: 2767 1. source. The System was the source of the event. 2769 2. target. The System was the target of the event. 2771 3. intermediate. The System was an intermediary in the event. 2773 4. sensor. The System was a sensor monitoring the event. 2775 5. infrastructure. The System was an infrastructure node of 2776 IODEF document exchange. 2778 6. ext-value. An escape value used to extend this attribute. 2779 See Section 5.1.1. 2781 ext-category 2782 Optional. STRING. A means by which to extend the category 2783 attribute. See Section 5.1.1. 2785 interface 2786 Optional. STRING. Specifies the interface on which the event(s) 2787 on this System originated. If the Node class specifies a network 2788 rather than a host, this attribute has no meaning. 2790 spoofed 2791 Optional. ENUM. An indication of confidence in whether this 2792 System was the true target or attacking host. The permitted 2793 values for this attribute are shown below. The default value is 2794 "unknown". 2796 1. unknown. The accuracy of the category attribute value is 2797 unknown. 2799 2. yes. The category attribute value is probably incorrect. In 2800 the case of a source, the System is likely a decoy; with a 2801 target, the System was likely not the intended victim. 2803 3. no. The category attribute value is believed to be correct. 2805 virtual 2806 Optional. ENUM. Indicates whether this System is a virtual or 2807 physical device. The default value is "unknown". The possible 2808 values are: 2810 1. yes. The System is a virtual device. 2812 2. no. The System is a physical device. 2814 3. unknown. It is not known if the System is virtual. 2816 ownership 2817 Optional. ENUM. Describes the ownership of this System relative 2818 to the sender of the IODEF document. These values are maintained 2819 in the "System-ownership" IANA registry per Table 1. The possible 2820 values are: 2822 1. organization. The System is owned by the organization. 2824 2. personal. The System is owned by employee or affiliate of the 2825 organization. 2827 3. partner. The System is owned by a partner of the 2828 organization. 2830 4. customer. The System is owned by a customer of the 2831 organization. 2833 5. no-relationship. The System is owned by an entity that has no 2834 known relationship with the organization. 2836 6. unknown. The ownership of the System is unknown. 2838 7. ext-value. An escape value used to extend this attribute. 2839 See Section 5.1.1. 2841 ext-ownership 2842 Optional. STRING. A means by which to extend the ownership 2843 attribute. See Section 5.1.1. 2845 3.20. Node Class 2847 The Node class names an asset or network. 2849 This class was derived from [RFC4765]. 2851 +---------------+ 2852 | Node | 2853 +---------------+ 2854 | |<>--{0..*}--[ DomainData ] 2855 | |<>--{0..*}--[ Address ] 2856 | |<>--{0..1}--[ PostalAddress ] 2857 | |<>--{0..*}--[ Location ] 2858 | |<>--{0..1}--[ DateTime ] 2859 | |<>--{0..*}--[ Counter ] 2860 +---------------+ 2862 Figure 33: The Node Class 2864 The aggregate classes that constitute Node are: 2866 DomainData 2867 Zero or more. The detailed domain (DNS) information associated 2868 with this Node. If an Address is not provided, at least one 2869 DomainData MUST be specified. 2871 Address 2872 Zero or more. The hardware, network, or application address of 2873 the Node. If a DomainData is not provided, at least one Address 2874 MUST be specified. 2876 PostalAddress 2877 Zero or one. The postal address of the asset. 2879 Location 2880 Zero or more. ML_STRING. A free-from description of the physical 2881 location of the Node. This description may provide a more 2882 detailed description of where in the PostalAddress this Node is 2883 found (e.g., room number, rack number, slot number in a chassis). 2885 Counter 2886 Zero or more. A counter with which to summarizes properties of 2887 this host or network. 2889 The Node class has no attributes. 2891 3.20.1. Address Class 2893 The Address class represents a hardware (layer-2), network (layer-3), 2894 or application (layer-7) address. 2896 This class was derived from [RFC4765]. 2898 +-------------------------+ 2899 | Address | 2900 +-------------------------+ 2901 | ENUM category | 2902 | STRING ext-category | 2903 | STRING vlan-name | 2904 | INTEGER vlan-num | 2905 | ID observable-id | 2906 +-------------------------+ 2908 Figure 34: The Address Class 2910 The Address class has five attributes: 2912 category 2913 Optional. ENUM. The type of address represented. The permitted 2914 values for this attribute are shown below. The default value is 2915 "ipv4-addr". These values are maintained in the "Address- 2916 category" IANA registry per Table 1. 2918 1. asn. Autonomous System Number 2920 2. atm. Asynchronous Transfer Mode (ATM) address 2922 3. e-mail. Electronic mail address (RFC 822) 2924 4. ipv4-addr. IPv4 host address in dotted-decimal notation 2925 (a.b.c.d) 2927 5. ipv4-net. IPv4 network address in dotted-decimal notation, 2928 slash, significant bits (i.e., a.b.c.d/nn) 2930 6. ipv4-net-mask. IPv4 network address in dotted-decimal 2931 notation, slash, network mask in dotted-decimal notation 2932 (i.e., a.b.c.d/w.x.y.z) 2934 7. ipv6-addr. IPv6 host address 2936 8. ipv6-net. IPv6 network address, slash, significant bits 2938 9. ipv6-net-mask. IPv6 network address, slash, network mask 2940 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f) 2942 11. site-uri. A URL or URI for a resource. 2944 12. ext-value. An escape value used to extend this attribute. 2945 See Section 5.1.1. 2947 ext-category 2948 Optional. STRING. A means by which to extend the category 2949 attribute. See Section 5.1.1. 2951 vlan-name 2952 Optional. STRING. The name of the Virtual LAN to which the 2953 address belongs. 2955 vlan-num 2956 Optional. STRING. The number of the Virtual LAN to which the 2957 address belongs. 2959 observable-id 2960 Optional. ID. See Section 3.3.2. 2962 3.20.2. NodeRole Class 2964 The NodeRole class describes the function performed by a particular . 2966 +---------------------+ 2967 | NodeRole | 2968 +---------------------+ 2969 | ENUM category | 2970 | STRING ext-category | 2971 | ENUM xml:lang | 2972 +---------------------+ 2974 Figure 35: The NodeRole Class 2976 The NodeRole class has three attributes: 2978 category 2979 Required. ENUM. Functionality provided by a node. These values 2980 are maintained in the "NodeRole-category" IANA registry per 2981 Table 1. 2983 1. client. Client computer 2985 2. client-enterprise. Client computer on the enterprise network 2987 3. client-partner. Client computer on network of a partner 2989 4. client-remote. Client computer remotely connected to the 2990 enterprise network 2992 5. client-kiosk. Client computer is serves as a kiosk 2994 6. client-mobile. Client is a mobile device 2996 7. server-internal. Server with internal services 2998 8. server-public. Server with public services 3000 9. www. WWW server 3002 10. mail. Mail server 3004 11. webmail. Web mail server 3006 12. messaging. Messaging server (e.g., NNTP, IRC, IM) 3008 13. streaming. Streaming-media server 3010 14. voice. Voice server (e.g., SIP, H.323) 3012 15. file. File server (e.g., SMB, CVS, AFS) 3014 16. ftp. FTP server 3016 17. p2p. Peer-to-peer node 3018 18. name. Name server (e.g., DNS, WINS) 3020 19. directory. Directory server (e.g., LDAP, finger, whois) 3022 20. credential. Credential server (e.g., domain controller, 3023 Kerberos) 3025 21. print. Print server 3027 22. application. Application server 3029 23. database. Database server 3031 24. backup. Backup server 3033 25. dhcp. DHCP server 3035 26. assessment. Assessment server (e.g., vulnerability scanner, 3036 end-point assessment) 3038 27. source-control. Source code control server 3040 28. config-management. Configuration management server 3042 29. monitoring. Security monitoring server (e.g., IDS) 3044 30. infra. Infrastructure server (e.g., router, firewall, DHCP) 3046 31. infra-firewall. Firewall 3048 32. infra-router. Router 3050 33. infra-switch. Switch 3052 34. camera. Camera and video system 3054 35. proxy. Proxy server 3056 36. remote-access. Remote access server 3058 37. log. Log server (e.g., syslog) 3060 38. virtualization. Server running virtual machines 3062 39. pos. Point-of-sale device 3064 40. scada. Supervisory control and data acquisition system 3066 41. scada-supervisory. Supervisory system for a SCADA 3068 42. sinkhole. Traffic sinkhole destination 3070 43. honeypot. Honeypot server 3072 44. anonymization. Anonymization server (e.g., Tor node) 3073 45. c2. Malicious command and control server 3075 46. malware-distribution. Server that distributes malware 3077 47. drop-server. Server to which exfiltrated content is 3078 uploaded. 3080 48. hop-point. Intermediary server used to get to a victim. 3082 49. reflector. A system used in a reflector attacker. 3084 50. phishing-site. Site hosting phishing content 3086 51. spear-phishing-site. Site hosting spear-phishing content 3088 52. recruiting-site. Site to recruit 3090 53. fraudulent-site. Fraudulent site. 3092 54. ext-value. An escape value used to extend this attribute. 3093 See Section 5.1.1. 3095 ext-category 3096 Optional. STRING. A means by which to extend the category 3097 attribute. See Section 5.1.1. 3099 xml:lang 3100 Optional. ENUM. A language identifier per Section 2.12 of 3101 [W3C.XML] whose values and form are described in [RFC5646]. The 3102 interpretation of this code is described in Section 6. 3104 3.20.3. Counter Class 3106 The Counter class summarize multiple occurrences of some event, or 3107 conveys counts or rates on various features (e.g., packets, sessions, 3108 events). 3110 The value of the counter is the element content with its units 3111 represented in the type attribute. A rate for a given feature can be 3112 expressed by setting the duration attribute. The complete semantics 3113 are entirely context dependent based on the class in which the 3114 Counter is aggregated. 3116 +---------------------+ 3117 | Counter | 3118 +---------------------+ 3119 | REAL | 3120 | | 3121 | ENUM type | 3122 | STRING ext-type | 3123 | ENUM unit | 3124 | STRING ext-unit | 3125 | STRING meaning | 3126 | ENUM duration | 3127 | STRING ext-duration | 3128 +---------------------+ 3130 Figure 36: The Counter Class 3132 The Counter class has seven attribute: 3134 type 3135 Required. ENUM. Specifies the type of counter specified in the 3136 element content. These values are maintained in the "Counter- 3137 type" IANA registry per Table 1. The default value is "count". 3139 1. count. The Counter class value is a counter. 3141 2. peak. The Counter class value is a peak value. 3143 3. average. The Counter class value is an average. 3145 4. ext-value. An escape value used to extend this attribute. 3146 See Section 5.1.1. 3148 ext-type 3149 Optional. STRING. A means by which to extend the type attribute. 3150 See Section 5.1.1. 3152 unit 3153 Required. ENUM. Specifies the units of the element content. 3154 These values are maintained in the "Counter-unit" IANA registry 3155 per Table 1. 3157 1. byte. Bytes. 3159 2. mbit. Megabits (Mbits). 3161 3. packet. Packets. 3163 4. flow. Network flow records. 3165 5. session. Sessions. 3167 6. alert. Notifications generated by another system (e.g., IDS 3168 or SIM). 3170 7. message. Messages (e.g., mail messages). 3172 8. event. Events. 3174 9. host. Hosts. 3176 10. site. Site. 3178 11. organization. Organizations. 3180 12. ext-value. An escape value used to extend this attribute. 3181 See Section 5.1.1. 3183 ext-unit 3184 Optional. STRING. A means by which to extend the unit attribute. 3185 See Section 5.1.1. 3187 meaning 3188 Optional. STRING. A free-form description of the metric 3189 represented by the Counter. 3191 duration 3192 Optional. ENUM. If present, the Counter class represents a rate. 3193 This attribute specifies unit of time over which the rate whose 3194 units are specified in the unit attribute is being conveyed. This 3195 attribute is the the denominator of the rate (where the unit 3196 attribute specified the nominator). The possible values of this 3197 attribute are defined in Section 3.14.3 3199 ext-duration 3200 Optional. STRING. A means by which to extend the duration 3201 attribute. See Section 5.1.1. 3203 3.21. DomainData Class 3205 The DomainData class describes a domain name and meta-data associated 3206 with this domain. 3208 +--------------------------+ 3209 | DomainData | 3210 +--------------------------+ 3211 | ENUM system-status |<>----------[ Name ] 3212 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] 3213 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 3214 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] 3215 | ID observable-id |<>--{0..*}--[ RelatedDNS ] 3216 | |<>--{0..*}--[ Nameservers ] 3217 | |<>--{0..1}--[ DomainContacts ] 3218 | | 3219 +--------------------------+ 3221 Figure 37: The DomainData Class 3223 The aggregate classes that constitute DomainData are: 3225 Name 3226 One. STRING. The domain name of the Node (e.g., fully qualified 3227 domain name). 3229 DateDomainWasChecked 3230 Zero or one. DATETIME. A timestamp of when the Name was 3231 resolved. 3233 RegistrationDate 3234 Zero or one. DATETIME. A timestamp of when domain listed in Name 3235 was registered. 3237 ExpirationDate 3238 Zero or one. DATETIME. A timestamp of when the domain listed in 3239 Name is set to expire. 3241 RelatedDNS 3242 Zero or more. Additional DNS records associated with this domain. 3244 Nameservers 3245 Zero or more. The name servers identified for the domain listed 3246 in Name. 3248 DomainContacts 3249 Zero or one. Contact information for the domain listed in Name 3250 supplied by the registrar or through a whois query. 3252 The DomainData class has five attribute: 3254 system-status 3255 Required. ENUM. Assesses the domain's involvement in the event. 3256 These values are maintained in the "DomainData-system-status" IANA 3257 registry per Table 1. 3259 1. spoofed. This domain was spoofed. 3261 2. fraudulent. This domain was operated with fraudulent 3262 intentions. 3264 3. innocent-hacked. This domain was compromised by a third 3265 party. 3267 4. innocent-hijacked. This domain was deliberately hijacked. 3269 5. unknown. No categorization for this domain known. 3271 6. ext-value. An escape value used to extend this attribute. 3272 See Section 5.1.1. 3274 ext-system-status 3275 Optional. STRING. A means by which to extend the system-status 3276 attribute. See Section 5.1.1. 3278 domain-status 3279 Required. ENUM. Categorizes the registry status of the domain at 3280 the time the document was generated. These values and their 3281 associated descriptions are derived from Section 3.2.2 of 3282 [RFC3982]. These values are maintained in the "DomainData-domain- 3283 status" IANA registry per Table 1. 3285 1. reservedDelegation. The domain is permanently inactive. 3287 2. assignedAndActive. The domain is in a normal state. 3289 3. assignedAndInactive. The domain has an assigned registration 3290 but the delegation is inactive. 3292 4. assignedAndOnHold. The domain is under dispute. 3294 5. revoked. The domain is in the process of being purged from 3295 the database. 3297 6. transferPending. The domain is pending a change in 3298 authority. 3300 7. registryLock. The domain is on hold by the registry. 3302 8. registrarLock. Same as "registryLock". 3304 9. other. The domain has a known status but it is not one of 3305 the redefined enumerated values. 3307 10. unknown. The domain has an unknown status. 3309 11. ext-value. An escape value used to extend this attribute. 3310 See Section 5.1.1. 3312 ext-domain-status 3313 Optional. STRING. A means by which to extend the domain-status 3314 attribute. See Section 5.1.1. 3316 observable-id 3317 Optional. ID. See Section 3.3.2. 3319 3.21.1. RelatedDNS 3321 The RelatedDNS class describes additional record types associated 3322 with a given domain name. The record type is described in the 3323 record-type attribute and the value of the record is the element 3324 content. ... TODO Issue #39 ... 3326 +----------------------+ 3327 | RelatedDNS | 3328 +----------------------+ 3329 | STRING | 3330 | | 3331 | ENUM record-type | 3332 +----------------------+ 3334 Figure 38: The RelatedDNS Class 3336 The RelatedDNS class has one attribute: 3338 record-type 3339 Required. ENUM. The DNS record type. ... TODO values need to be 3340 listed ... 3342 3.21.2. Nameservers Class 3344 The Nameservers class describes the name servers associated with a 3345 given domain. 3347 +--------------------+ 3348 | Nameservers | 3349 +--------------------+ 3350 | |<>----------[ Server ] 3351 | |<>--{1..*}--[ Address ] 3352 +--------------------+ 3354 Figure 39: The Nameservers Class 3356 The aggregate classes that constitute Nameservers are: 3358 Server 3359 One. STRING. The domain name of the name server. 3361 Address 3362 One or more. The address of the name server. See Section 3.20.1. 3364 3.21.3. DomainContacts Class 3366 The DomainContacts class describes the contact information for a 3367 given domain provided either by the registrar or through a whois 3368 query. 3370 This contact information can be explicitly described through a 3371 Contact class or a reference can be provided to a domain with 3372 identical contact information. Either a single SameDomainContact 3373 MUST be present or one or many Contact classes. 3375 +--------------------+ 3376 | DomainContacts | 3377 +--------------------+ 3378 | |<>--{0..1}--[ SameDomainContact ] 3379 | |<>--{1..*}--[ Contact ] 3380 +--------------------+ 3382 Figure 40: The DomainContacts Class 3384 The aggregate classes that constitute DomainContacts are: 3386 SameDomainContact 3387 Zero or one. STRING. A domain name already cited in this 3388 document or through previous exchange that contains the identical 3389 contact information as the domain name in question. The domain 3390 contact information associated with this domain should be used in 3391 lieu of explicit definition with the Contact class. 3393 Contact 3394 One or more. Contact information for the domain. See 3395 Section 3.10. 3397 3.22. Service Class 3399 The Service class describes a network service of a host or network. 3400 The service is identified by specific port or list of ports, along 3401 with the application listening on that port. 3403 When Service occurs as an aggregate class of a System that is a 3404 source, then this service is the one from which activity of interest 3405 is originating. Conversely, when Service occurs as an aggregate 3406 class of a System that is a target, then that service is the one to 3407 which activity of interest is directed. 3409 This class was derived from [RFC4765]. 3411 +-------------------------+ 3412 | Service | 3413 +-------------------------+ 3414 + INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] 3415 | ID observable-id |<>--{0..1}--[ Port ] 3416 | |<>--{0..1}--[ Portlist ] 3417 | |<>--{0..1}--[ ProtoCode ] 3418 | |<>--{0..1}--[ ProtoType ] 3419 | |<>--{0..1}--[ ProtoField ] 3420 | |<>--{0..*}--[ ApplicationHeader ] 3421 | |<>--{0..1}--[ EmailData ] 3422 | |<>--{0..1}--[ Application ] 3423 +-------------------------+ 3425 Figure 41: The Service Class 3427 The aggregate classes that constitute Service are: 3429 ServiceName 3430 Zero or one. STRING. The name of the service per the "Service 3431 Name" field of the [IANA.Ports] registry. 3433 Port 3434 Zero or one. INTEGER. A port number. 3436 Portlist 3437 Zero or one. PORTLIST. A list of port numbers formatted 3438 according to Section 2.10. 3440 ProtoCode 3441 Zero or one. INTEGER. A transport layer (layer 4) protocol- 3442 specific code field (e.g., ICMP code field). 3444 ProtoType 3445 Zero or one. INTEGER. A transport layer (layer 4) protocol 3446 specific type field (e.g., ICMP type field). 3448 ProtoField 3449 Zero or one. INTEGER. A transport layer (layer 4) protocol 3450 specific flag field (e.g., TCP flag field). 3452 ApplicationHeader 3453 Zero or more. An application layer (layer 7) protocol header. 3454 See Section 3.22.1. 3456 EmailData 3457 Zero or one. Headers associated with an email. See Section 3.24. 3459 Application 3460 Zero or one. The application bound to the specified Port or 3461 Portlist. See Section 3.22.2. 3463 Either a Port or Portlist class MUST be specified for a given 3464 instance of a Service class. 3466 When a given System classes with category="source" and another with 3467 category="target" are aggregated into a single Flow class, and each 3468 of these System classes has a Service and Portlist class, an implicit 3469 relationship between these Portlists exists. If N ports are listed 3470 for a System@category="source", and M ports are listed for 3471 System@category="target", the number of ports in N must be equal to 3472 M. Likewise, the ports MUST be listed in an identical sequence such 3473 that the n-th port in the source corresponds to the n-th port of the 3474 target. If N is greater than 1, a given instance of a Flow class 3475 MUST only have a single instance of a System@category="source" and 3476 System@category="target". 3478 The Service class has two attributes: 3480 ip-protocol 3481 Required. INTEGER. The IANA assigned IP protocol number per 3482 [IANA.Protocols]. 3484 observable-id 3485 Optional. ID. See Section 3.3.2. 3487 3.22.1. ApplicationHeader Class 3489 The ApplicationHeader class allows the representation of arbitrary 3490 fields from an application layer protocol header and its 3491 corresponding value. 3493 +--------------------------+ 3494 | ApplicationHeader | 3495 +--------------------------+ 3496 | ANY | 3497 | | 3498 | INTEGER proto | 3499 | STRING proto-name | 3500 | STRING field | 3501 | ENUM dtype | 3502 | STRING ext-dtype | 3503 | ID observable-id | 3504 +--------------------------+ 3506 Figure 42: The ApplicationHeader Class 3508 The ApplicationHeader class has six attributes: 3510 proto 3511 Optional. INTEGER. The IANA assigned port number per the 3512 "Protocol Number" field of the [IANA.Ports] registry corresponding 3513 to the application layer protocol whose field will be represented. 3515 proto-name 3516 Optional. STRING. The IANA assigned service name per the 3517 "Service Name" field of the the [IANA.Ports] registry 3518 corresponding to the application layer protocol whose field will 3519 be represented. 3521 field 3522 Required. STRING. The name of the protocol field whose value 3523 will be found in the element body. 3525 dtype 3526 Required. ENUM. The data type of the element content. The 3527 permitted values for this attribute are shown below. The default 3528 value is "string". 3530 1. boolean. The element content is of type BOOLEAN. 3532 2. byte. The element content is of type BYTE. 3534 3. bytes. The element content is of type HEXBIN. 3536 4. character. The element content is of type CHARACTER. 3538 5. date-time. The element content is of type DATETIME. 3540 6. integer. The element content is of type INTEGER. 3542 7. portlist. The element content is of type PORTLIST. 3544 8. real. The element content is of type REAL. 3546 9. string. The element content is of type STRING. 3548 10. file. The element content is a base64 encoded binary file 3549 encoded as a BYTE[] type. 3551 11. path. The element content is a file-system path encoded as a 3552 STRING type. 3554 12. xml. The element content is XML. See Section 5. 3556 13. ext-value. An escape value used to extend this attribute. 3557 See Section 5.1.1. 3559 ext-dtype 3560 Optional. STRING. A means by which to extend the dtype 3561 attribute. See Section 5.1.1. 3563 observable-id 3564 Optional. ID. See Section 3.3.2. 3566 Either the proto or proto-name attribute MUST be set. If both are 3567 set, they MUST correspond to the same entry in the registry. 3569 3.22.2. Application Class 3571 The Application class describes an application running on a System 3572 providing a Service. 3574 +--------------------+ 3575 | Application | 3576 +--------------------+ 3577 | STRING swid |<>--{0..1}--[ URL ] 3578 | STRING configid | 3579 | STRING vendor | 3580 | STRING family | 3581 | STRING name | 3582 | STRING version | 3583 | STRING patch | 3584 +--------------------+ 3586 Figure 43: The Application Class 3588 The aggregate class that constitute Application is: 3590 URL 3591 Zero or one. URL. A URL describing the application. 3593 The Application class has seven attributes: 3595 swid 3596 Optional. STRING. An identifier that can be used to reference 3597 this software, where the default value is "0". 3599 configid 3600 Optional. STRING. An identifier that can be used to reference a 3601 particular configuration of this software, where the default value 3602 is "0". 3604 vendor 3605 Optional. STRING. Vendor name of the software. 3607 family 3608 Optional. STRING. Family of the software. 3610 name 3611 Optional. STRING. Name of the software. 3613 version 3614 Optional. STRING. Version of the software. 3616 patch 3617 Optional. STRING. Patch or service pack level of the software. 3619 3.23. OperatingSystem Class 3621 The OperatingSystem class describes the operating system running on a 3622 System. The definition is identical to the Application class 3623 (Section 3.22.2). 3625 3.24. EmailData Class 3627 The EmailData class describes headers from an email message. Common 3628 headers have dedicated classes, but arbitrary headers can also be 3629 described. 3631 +-------------------------+ 3632 | EmailData | 3633 +-------------------------+ 3634 | ID observable-id |<>--{0..1}--[ EmailFrom ] 3635 | |<>--{0..1}--[ EmailSubject ] 3636 | |<>--{0..1}--[ EmailX-Mailer ] 3637 | |<>--{0..*}--[ EmailHeaderField ] 3638 | |<>--{0..*}--[ HashData ] 3639 | |<>--{0..*}--[ SignatureData ] 3640 +-------------------------+ 3642 Figure 44: EmailData Class 3644 The aggregate class that constitutes EmailData are: 3646 EmailFrom 3647 Zero or one. The value of the "From:" header field in an email. 3648 See Section 3.6.2 of [RFC5322]. 3650 EmailSubject 3651 Zero or one. The value of the "Subject:" header field in an 3652 email. See Section 3.6.4 of [RFC5322]. 3654 EmailX-Mailer 3655 Zero or one. The value of the "X-Mailer:" header field in an 3656 email. 3658 EmailHeaderField 3659 Zero or one. The value of an arbitrary header field in the email. 3660 See Section 3.22.1. The attributes of EmailHeaderField MUST be 3661 set as follows: proto="25" or proto-name="smtp", or both can be 3662 set; and dtype="string". The name of the email header field MUST 3663 be set in the field attribute. 3665 HashData 3666 Zero or One. Hash(es) associated with this email. 3668 SignatureData 3669 Zero or One. Signature(s) associated with this email. 3671 The EmailData class has one attribute: 3673 observable-id 3674 Optional. ID. See Section 3.3.2. 3676 3.25. Record Class 3678 The Record class is a container class for log and audit data that 3679 provides supportive information about the incident. The source of 3680 this data will often be the output of monitoring tools. These logs 3681 substantiate the activity described in the document. 3683 +------------------------+ 3684 | Record | 3685 +------------------------+ 3686 | ENUM restriction |<>--{1..*}--[ RecordData ] 3687 | STRING ext-restriction | 3688 +------------------------+ 3690 Figure 45: Record Class 3692 The aggregate class that constitutes Record is: 3694 RecordData 3695 One or more. Log or audit data generated by a particular type of 3696 sensor. Separate instances of the RecordData class SHOULD be used 3697 for each sensor type. 3699 The Record class has two attributes: 3701 restriction 3702 Optional. ENUM. See Section 3.3.1. 3704 ext-restriction 3705 Optional. STRING. A means by which to extend the restriction 3706 attribute. See Section 5.1.1. 3708 3.25.1. RecordData Class 3710 The RecordData class groups log or audit data from a given sensor 3711 (e.g., IDS, firewall log) and provides a way to annotate the output. 3713 +------------------------+ 3714 | RecordData | 3715 +------------------------+ 3716 | ENUM restriction |<>--{0..1}--[ DateTime ] 3717 | STRING ext-restriction |<>--{0..*}--[ Description ] 3718 | ID observable-id |<>--{0..1}--[ Application ] 3719 | |<>--{0..*}--[ RecordPattern ] 3720 | |<>--{0..*}--[ RecordItem ] 3721 | |<>--{0..*}--[ FileData ] 3722 | |<>--{0..*}--[ CertificateData ] 3723 | |<>--{0..*}-- 3724 | | [ WindowsRegistryKeysModified ] 3725 | |<>--{0..*}--[ AdditionalData ] 3726 +------------------------+ 3728 Figure 46: The RecordData Class 3730 The aggregate classes that constitutes RecordData is: 3732 DateTime 3733 Zero or one. Timestamp of the RecordItem data. 3735 Description 3736 Zero or more. ML_STRING. Free-form textual description of the 3737 provided RecordItem data. At minimum, this description should 3738 convey the significance of the provided RecordItem data. 3740 Application 3741 Zero or one. Information about the sensor used to generate the 3742 RecordItem data. 3744 RecordPattern 3745 Zero or more. A search string to precisely find the relevant data 3746 in a RecordItem. 3748 RecordItem 3749 Zero or more. Log, audit, or forensic data. 3751 FileData 3752 Zero or one. The file name and hash of a file indicator. 3754 WindowsRegistryKeysModified 3755 Zero or more. The registry keys that were modified that are 3756 indicator(s). 3758 AdditionalData 3759 Zero or more. An extension mechanism for data not explicitly 3760 represented in the data model. 3762 The RecordData class has three attributes: 3764 restriction 3765 Optional. ENUM. See Section 3.3.1. 3767 ext-restriction 3768 Optional. STRING. A means by which to extend the restriction 3769 attribute. See Section 5.1.1. 3771 observable-id 3772 Optional. ID. See Section 3.3.2. 3774 3.25.2. RecordPattern Class 3776 The RecordPattern class describes where in the content of the 3777 RecordItem relevant information can be found. It provides a way to 3778 reference subsets of information, identified by a pattern, in a large 3779 log file, audit trail, or forensic data. 3781 +-----------------------+ 3782 | RecordPattern | 3783 +-----------------------+ 3784 | STRING | 3785 | | 3786 | ENUM type | 3787 | STRING ext-type | 3788 | INTEGER offset | 3789 | ENUM offsetunit | 3790 | STRING ext-offsetunit | 3791 | INTEGER instance | 3792 +-----------------------+ 3794 Figure 47: The RecordPattern Class 3796 The specific pattern to search with in the RecordItem is defined in 3797 the body of the element. It is further annotated by six attributes: 3799 type 3800 Required. ENUM. Describes the type of pattern being specified in 3801 the element content. The default is "regex". These values are 3802 maintained in the "RecordPattern-type" IANA registry per Table 1. 3804 1. regex. regular expression as defined by POSIX Extended 3805 Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. 3807 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3808 type. 3810 3. xpath. XML Path (XPath) [W3C.XPATH] 3812 4. ext-value. An escape value used to extend this attribute. 3813 See Section 5.1.1. 3815 ext-type 3816 Optional. STRING. A means by which to extend the type attribute. 3817 See Section 5.1.1. 3819 offset 3820 Optional. INTEGER. Amount of units (determined by the offsetunit 3821 attribute) to seek into the RecordItem data before matching the 3822 pattern. 3824 offsetunit 3825 Optional. ENUM. Describes the units of the offset attribute. 3826 The default is "line". These values are maintained in the 3827 "RecordPattern-offsetunit" IANA registry per Table 1. 3829 1. line. Offset is a count of lines. 3831 2. byte. Offset is a count of bytes. 3833 3. ext-value. An escape value used to extend this attribute. 3834 See Section 5.1.1. 3836 ext-offsetunit 3837 Optional. STRING. A means by which to extend the offsetunit 3838 attribute. See Section 5.1.1. 3840 instance 3841 Optional. INTEGER. Number of types to apply the specified 3842 pattern. 3844 3.25.3. RecordItem Class 3846 The RecordItem class provides a way to incorporate relevant logs, 3847 audit trails, or forensic data to support the conclusions made during 3848 the course of analyzing the incident. The class supports both the 3849 direct encapsulation of the data, as well as, provides primitives to 3850 reference data stored elsewhere. 3852 This class is identical to AdditionalData class (Section 3.9). 3854 3.26. WindowsRegistryKeysModified Class 3856 The WindowsRegistryKeysModified class describes Windows operating 3857 system registry keys and the operations that were performed on them. 3858 This class was derived from [RFC5901]. 3860 +-----------------------------+ 3861 | WindowsRegistryKeysModified | 3862 +-----------------------------+ 3863 | ID observable-id |<>--{1..*}--[ Key ] 3864 +-----------------------------+ 3866 Figure 48: The WindowsRegistryKeysModified Class 3868 The aggregate class that constitutes the WindowsRegistryKeysModified 3869 class is: 3871 Key 3872 One or many. The Window registry key. 3874 The WindowsRegistryKeysModified class has one attribute: 3876 observable-id 3877 Optional. ID. See Section 3.3.2. 3879 3.26.1. Key Class 3881 The Key class describes a particular Windows operating system 3882 registry key name and value pair, and the operation performed on it. 3884 +---------------------------+ 3885 | Key | 3886 +---------------------------+ 3887 | ENUM registryaction |<>----------[ KeyName ] 3888 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] 3889 | ID observable-id | 3890 +---------------------------+ 3892 Figure 49: The Key Class 3894 The aggregate classes that constitutes Key are: 3896 KeyName 3897 One. STRING. The name of the Windows operating system registry 3898 key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3900 KeyValue 3901 Zero or one. STRING. The value of the associated registry key 3902 encoded as in Microsoft .reg files [KB310516]. 3904 The Key class has three attributes: 3906 registryaction 3907 Optional. ENUM. The type of action taken on the registry key. 3908 These values are maintained in the "Key-registryaction" IANA 3909 registry per Table 1. 3911 1. add-key. Registry key added. 3913 2. add-value. Value added to registry key. 3915 3. delete-key. Registry key deleted. 3917 4. delete-value. Value deleted from registry key. 3919 5. modify-key. Registry key modified. 3921 6. modify-value. Value modified for registry key. 3923 7. ext-value. An escape value used to extend this attribute. 3924 See Section 5.1.1. 3926 ext-registryaction 3927 Optional. STRING. A means by which to extend the registryaction 3928 attribute. See Section 5.1.1. 3930 observable-id 3931 Optional. ID. See Section 3.3.2. 3933 3.27. CertificateData Class 3935 The CertificateData class describes X.509 certificates. 3937 +------------------------+ 3938 | CertificateData | 3939 +------------------------+ 3940 | ID observable-id |<>--{1..*}--[ Certificate ] 3941 | ENUM restriction | 3942 | STRING ext-restriction | 3943 +------------------------+ 3945 Figure 50: The CertificateData Class 3947 The aggregate classes that constitutes CertificateData are: 3949 Certificate 3950 One or more. A certificate. 3952 The CertificateData class has three attributes: 3954 observable-id 3955 Optional. ID. See Section 3.3.2. 3957 restriction 3958 Optional. ENUM. See Section 3.3.1. 3960 ext-restriction 3961 Optional. STRING. A means by which to extend the restriction 3962 attribute. See Section 5.1.1. 3964 3.27.1. Certificate Class 3966 The Certificate class describes a given X.509 certificate or 3967 certificate chain. 3969 +--------------------------+ 3970 | Certificate | 3971 +--------------------------+ 3972 | ENUM valid |<>----------[ ds: X509Data ] 3973 | ID observable-id | 3974 +--------------------------+ 3976 Figure 51: The Certificate Class 3978 The aggregate classes that constitutes Certificate are: 3980 ds:X509Data 3981 One. A given X.509 certificate or chain. See Section 4.4.4 of 3982 [W3C.XMLSIG]. 3984 The Certificate class has one attribute: 3986 valid 3987 Optional. Indicates whether a given certificate has a valid 3988 signature. An invalid signature may be due to an invalid 3989 certificate chain, a signature not decoding properly, or a 3990 certificate contents not matching the hash. 3992 1. yes. The certificate is valid. 3994 2. no. The certificate is not valid. 3996 observable-id 3997 Optional. ID. See Section 3.3.2. 3999 3.28. FileData Class 4001 The FileData class describes files of interest identified during the 4002 analysis of an incident. 4004 +------------------------+ 4005 | FileData | 4006 +------------------------+ 4007 | ID observable-id |<>--{1..*}--[ File ] 4008 | ENUM restriction | 4009 | STRING ext-restriction | 4010 +------------------------+ 4012 Figure 52: The FileData Class 4014 The aggregate class that constitutes FileData is: 4016 File 4017 One or more. A description of a file. 4019 The FileData class has three attributes: 4021 observable-id 4022 Optional. ID. See Section 3.3.2. 4024 restriction 4025 Optional. ENUM. See Section 3.3.1. 4027 ext-restriction 4028 Optional. STRING. A means by which to extend the restriction 4029 attribute. See Section 5.1.1. 4031 3.28.1. File Class 4033 The File class describes a file and its associated meta data. 4035 +-----------------------+ 4036 | File | 4037 +-----------------------+ 4038 | ID observable-id |<>--{0..1}--[ FileName ] 4039 | |<>--{0..1}--[ FileSize ] 4040 | |<>--{0..1}--[ FileType ] 4041 | |<>--{0..*}--[ URL ] 4042 | |<>--{0..1}--[ HashData ] 4043 | |<>--{0..1}--[ SignatureData ] 4044 | |<>--{0..1}--[ AssociatedSoftware ] 4045 | |<>--{0..*}--[ FileProperties ] 4046 +-----------------------+ 4048 Figure 53: The File Class 4050 The aggregate classes that constitutes File are: 4052 FileName 4053 Zero or One. STRING. The name of the file. 4055 FileSize 4056 Zero or One. INTEGER. The size of the file in bytes. 4058 FileType 4059 Zero or One. STRING. The type of file per the IANA Media Types 4060 Registry [IANA.Media]. Valid values correspond to the text in the 4061 "Template" column (e.g., "application/pdf"). 4063 URL 4064 Zero or more. A URL reference to the file. 4066 HashData 4067 Zero or One. Hash(es) associated with this file. 4069 SignatureData 4070 Zero or One. Signature(s) associated with this file. 4072 AssociatedSoftware 4073 Zero or One. The software application or operating system to 4074 which this file belongs. See Section 3.22.2 for the definition. 4076 FileProperties 4077 Zero or more. Mechanism by which to extend the data model to 4078 describe properties of the file. See Section 3.9. 4080 The File class has one attribute: 4082 observable-id 4083 Optional. ID. See Section 3.3.2. 4085 3.29. HashData Class 4087 The HashData class describes different types of hashes on an given 4088 object (e.g., file, part of a file, email). 4090 +--------------------------+ 4091 | HashData | 4092 +--------------------------+ 4093 | ENUM scope |<>--{0..1}--[ HashTarget ] 4094 | |<>--{0..*}--[ Hash ] 4095 | |<>--{0..*}--[ FuzzyHash ] 4096 +--------------------------+ 4098 Figure 54: The HashData Class 4100 The aggregate classes that constitutes HashData are: 4102 HashTarget 4103 Zero or One. An identifier that references a a subset of the 4104 object per the @scope attribute. 4106 Hash 4107 Zero or more. The hash generated on the object. 4109 FuzzyHash 4110 Zero or more. The fuzzy hash of the object. 4112 A single instance of Hash or FuzzyHash MUST be present. 4114 The HashData class has one attribute: 4116 scope 4117 Required. ENUM. Describes the scope of the hash on a type of 4118 object. These values are maintained in the "HashData-scope" IANA 4119 registry per Table 1. 4121 1. file-contents. A hash computed over the entire contents of a 4122 file. 4124 2. file-pe-section. A hash computed on a given section of a 4125 Windows Portable Executable (PE) file. If set to this value, 4126 the HashTargetId class MUST identify the section being hashed. 4127 This section is identified by an ordinal number (starting at 4128 1) corresponding to the the order in which the given section 4129 header was defined in the Section Table of the PE file header. 4131 3. file-pe-iat. A hash computed on the Import Address 4132 Table (IAT) of a PE file. As IAT hashes are often tool 4133 dependent, if this value is set, the HashTargetId class MUST 4134 specify the tool used to generate the hash. 4136 4. file-pe-resource. A hash computed on a given resource in a PE 4137 file. If set to this value, the HashTargetId class MUST 4138 identify the resource being hashed. This resource is 4139 identified by an ordinal number (starting at 1) corresponding 4140 to the oder in which the given resource is declared in the 4141 Resource Directory of the Data Dictionary in the PE file 4142 header. 4144 5. file-pdf-object. A hash computed on a given object in a 4145 Portable Document Format (PDF) file. If set to this value, 4146 the HashTargetId class MUST identify the object being hashed. 4147 This object is identified by its offset in the PDF file. 4149 6. email-hash. A hash computed over the headers and body of an 4150 email message. 4152 7. email-headers-hash. A hash computed over all of the headers 4153 of an email message. 4155 8. email-body-hash. A hash computed over the body of an email 4156 message. 4158 9. ext-value. An escape value used to extend this attribute. 4159 See Section 5.1.1. 4161 ext-scope 4162 Optional. STRING. A means by which to extend the scope 4163 attribute. See Section 5.1.1. 4165 3.29.1. Hash Class 4167 The Hash class describes a specific hash value, algorithm, and an 4168 application used to generate it. 4170 +----------------+ 4171 | Hash | 4172 +----------------+ 4173 | |<>----------[ ds:DigestMethod ] 4174 | |<>----------[ ds:DigestValue ] 4175 | |<>--{0..1}--[ ds:CannonicalizationMethod ] 4176 | |<>--{0..1}--[ Application ] 4177 +----------------+ 4179 Figure 55: The Hash Class 4181 The aggregate classes that constitutes Hash are: 4183 ds:DigestMethod 4184 One. The hash algorithm used to generate the hash. See 4185 Section 4.3.3.5 of [W3C.XMLSIG] 4187 ds:DigestValue 4188 One. The computed hash value. See Section 4.3.3.6 of 4189 [W3C.XMLSIG]. 4191 ds:CannonicalizationMethod 4192 Zero or one. The cannonicalization method used for the has. See 4193 Section 4.3.1 of [W3C.XMLSIG]. 4195 Application 4196 Zero or One. The application used to calculate the hash. 4198 The HashData class has no attribute: 4200 3.29.2. FuzzyHash Class 4202 The FuzzyHash class describes a fuzzy hash (in an extensible way) and 4203 the application used to generate it. 4205 +--------------------------+ 4206 | FuzzyHash | 4207 +--------------------------+ 4208 | |<>--{0..*}--[ AdditionalData ] 4209 | |<>--{0..1}--[ Application ] 4210 +--------------------------+ 4212 Figure 56: The FuzzyHash Class 4214 The aggregate classes that constitutes FuzzyHash are: 4216 AdditionalData 4217 Zero or more. Mechanism by which to extend the data model. See 4218 Section 3.9. 4220 Application 4221 Zero or One. The application used to calculate the hash. 4223 The FuzzyData class has no attribute: 4225 3.30. SignatureData Class 4227 The SignatureData class describes different signatures on an given 4228 object. 4230 +--------------------------+ 4231 | SignatureData | 4232 +--------------------------+ 4233 | |<>--{1..*}--[ ds:Signature ] 4234 +--------------------------+ 4236 Figure 57: The SignatureData Class 4238 The aggregate classes that constitutes SignatureData are: 4240 Signature 4241 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] 4243 The SignatureData class has no attribute: 4245 3.31. IndicatorData Class 4247 The IndicatorData class describes the indicators identified from 4248 analysis of an incident. 4250 +--------------------------+ 4251 | IndicatorData | 4252 +--------------------------+ 4253 | |<>--{1..*}--[ Indicator ] 4254 +--------------------------+ 4256 Figure 58: The IndicatorData Class 4258 The aggregate class that constitutes IndicatorData is: 4260 Indicator 4261 One or more. An indicator from the incident. 4263 The IndicatorData class has no attributes. 4265 3.32. Indicator Class 4267 The Indicator class describes a cyber indicator. An indicator 4268 consists of observable features and phenomenon that aid in the 4269 forensic or proactive detection of malicious activity, and associated 4270 meta-data. This indicator can be described outright or reference 4271 observable features and phenomenon described elsewhere in the 4272 incident information. Portions of an incident description can be 4273 composed to define an indicator, as can the indicators themselves. 4275 +------------------------+ 4276 | Indicator | 4277 +------------------------+ 4278 | ENUM restriction |<>----------[ IndicatorID ] 4279 | STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ] 4280 | |<>--{0..*}--[ Description ] 4281 | |<>--{0..1}--[ StartTime ] 4282 | |<>--{0..1}--[ EndTime ] 4283 | |<>--{0..1}--[ Confidence ] 4284 | |<>--{0..*}--[ Contact ] 4285 | |<>--{0..1}--[ Observable ] 4286 | |<>--{0..1}--[ ObservableReference ] 4287 | |<>--{0..1}--[ IndicatorExpression ] 4288 | |<>--{0..1}--[ IndicatorReference ] 4289 | |<>--{0..*}--[ AdditionalData ] 4290 +------------------------+ 4292 Figure 59: The Indicator Class 4294 The aggregate classes that constitute Indicator are: 4296 IndicatorID 4297 One. An identifier for this indicator. See Section 3.32.1 4299 AlternativeIndicatorID 4300 Zero or one. An alternative identifier for this indicator. See 4301 Section 3.32.2 4303 Description 4304 Zero or more. ML_STRING. A free-form textual description of the 4305 indicator. 4307 StartTime 4308 Zero or one. DATETIME. A timestamp of the start of the time 4309 period during which this indicator is valid. 4311 EndTime 4312 Zero or one. DATETIME. A timestamp of the end of the time period 4313 during which this indicator is valid. 4315 Confidence 4316 Zero or one. An estimate of the confidence in the quality of the 4317 indicator. See Section 3.14.5. 4319 Contact 4320 Zero or more. Contact information for this indicator. See 4321 Section 3.10. 4323 Observable 4324 Zero or one. An observable feature or phenomenon of this 4325 indicator. See Section 3.32.3. 4327 ObservableReference 4328 Zero or one. A reference to a feature or phenomenon defined 4329 elsewhere in the document. See Section 3.32.5. 4331 IndicatorExpression 4332 Zero or one. A composition of observables. See Section 3.32.4. 4334 IndicatorReference 4335 Zero or one. A reference to an indicator. 4337 AdditionalData 4338 Zero or more. Mechanism by which to extend the data model. See 4339 Section 3.9 4341 The Indicator class MUST have exactly one instance of an Observable, 4342 IndicatorExpression, ObservableReference, or IndicatorReference 4343 class. 4345 The StartTime and EndTime classes can be used to define an interval 4346 during which the indicator is valid. If both classes are present, 4347 the indicator is consider valid only during the described interval. 4348 If neither class is provided, the indicator is considered valid 4349 during any time interval. If only a StartTime is provided, the 4350 indicator is valid anytime after this timestamp. If only an EndTime 4351 is provided, the indicator is valid anytime prior to this timestamp. 4353 The Indicator class has two attributes: 4355 restriction 4356 Optional. ENUM. See Section 3.3.1. 4358 ext-restriction 4359 Optional. STRING. A means by which to extend the restriction 4360 attribute. See Section 5.1.1. 4362 3.32.1. IndicatorID Class 4364 The IndicatorID class identifies an indicator with a globally unique 4365 identifier. The combination of the name and version attributes, and 4366 the element content form this identifier. Indicators generated by 4367 given CSIRT MUST NOT reuse the same value unless they are referencing 4368 the same indicator. 4370 +------------------+ 4371 | IndicatorID | 4372 +------------------+ 4373 | ID | 4374 | | 4375 | STRING name | 4376 | STRING version | 4377 +------------------+ 4379 Figure 60: The IndicatorID Class 4381 The IndicatorID class has two attributes: 4383 name 4384 Required. STRING. An identifier describing the CSIRT that 4385 created the indicator. In order to have a globally unique CSIRT 4386 name, the fully qualified domain name associated with the CSIRT 4387 MUST be used. This format is identical to the IncidentID@name 4388 attribute in Section 3.4. 4390 version 4391 Required. STRING. A version number of an indicator. 4393 3.32.2. AlternativeIndicatorID Class 4395 The AlternativeIndicatorID class lists alternative identifiers for an 4396 indicator. 4398 +-------------------------+ 4399 | AlternativeIndicatorID | 4400 +-------------------------+ 4401 | ENUM restriction |<>--{1..*}--[ IndicatorReference ] 4402 | STRING ext-restriction | 4403 +-------------------------+ 4405 Figure 61: The AlternativeIndicatorID Class 4407 The aggregate class that constitutes AlternativeIndicatorID is: 4409 IndicatorReference 4410 One or more. A reference to an indicator. 4412 The AlternativeIndicatorID class has two attributes: 4414 restriction 4415 Optional. ENUM. See Section 3.3.1. 4417 ext-restriction 4418 Optional. STRING. A means by which to extend the restriction 4419 attribute. See Section 5.1.1. 4421 3.32.3. Observable Class 4423 The Observable class describes a feature and phenomenon that can be 4424 observed or measured for the purposes of detecting malicious 4425 behavior. 4427 +-------------------+ 4428 | Observable | 4429 +-------------------+ 4430 | |<>--{0..1}--[ Address ] 4431 | |<>--{0..1}--[ DomainData ] 4432 | |<>--{0..1}--[ Service ] 4433 | |<>--{0..1}--[ EmailData ] 4434 | |<>--{0..1}--[ ApplicationHeader ] 4435 | |<>--{0..1}--[ WindowsRegistryKeysModified ] 4436 | |<>--{0..1}--[ FileData ] 4437 | |<>--{0..1}--[ CertificateData ] 4438 | |<>--{0..1}--[ RecordData ] 4439 | |<>--{0..1}--[ EventData ] 4440 | |<>--{0..1}--[ Incident ] 4441 | |<>--{0..*}--[ Expectation ] 4442 | |<>--{0..*}--[ Reference ] 4443 | |<>--{0..1}--[ Assessment ] 4444 | |<>--{0..1}--[ HistoryItem ] 4445 | |<>--{0..1}--[ BulkObservable ] 4446 | |<>--{0..*}--[ AdditionalData ] 4447 +-------------------+ 4449 Figure 62: The Observable Class 4451 The aggregate classes that constitute Observable are: 4453 Address 4454 Zero or One. An Address observable. See Section 3.20.1. 4456 DomainData 4457 Zero or One. A DomainData observable. See Section 3.21. 4459 Service 4460 Zero or One. A Service observable. See Section 3.22. 4462 EmailData 4463 Zero or One. A EmailData observable. See Section 3.24. 4465 ApplicationHeader 4466 Zero or One. An ApplicationHeader observable. See 4467 Section 3.22.1. 4469 WindowsRegistryKeysModified 4470 Zero or One. A WindowsRegistryKeysModified observable. See 4471 Section 3.26. 4473 FileData 4474 Zero or One. A FileData observable. See Section 3.28. 4476 CertificateData 4477 Zero or One. A CertificateData observable. See Section 3.27. 4479 RecordData 4480 Zero or One. A RecordData observable. See Section 3.25.1. 4482 EventData 4483 Zero or One. An EventData observable. See Section 3.16. 4485 Incident 4486 Zero or One. An Incident observable. See Section 3.2. 4488 EventData 4489 Zero or One. An EventData observable. See Section 3.16. 4491 Expectation 4492 Zero or One. An Expectation observable. See Section 3.17. 4494 Reference 4495 Zero or One. A Reference observable. See Section 3.13.1. 4497 Assessment 4498 Zero or One. An Assessment observable. See Section 3.14. 4500 HistoryItem 4501 Zero or One. A HistoryItem observable. See Section 3.15.1. 4503 BulkObservable 4504 Zero or One. A bulk list of observables. See Section 3.32.3.1. 4506 AdditionalData 4507 Zero or more. Mechanism by which to extend the data model. See 4508 Section 3.9. 4510 The Observable class MUST have exactly one of the possible child 4511 classes. 4513 The Observable class has no attributes. 4515 3.32.3.1. BulkObservable Class 4517 The BulkObservable class allows the bulk enumeration of single type 4518 of observables without requiring each one to be encoded individually 4519 in multiple instances of the same class. The type attribute 4520 describes the type observable listed in the child BulkObservableList 4521 class. The BulkObservableFormat class optionally provides additional 4522 meta-data. 4524 +---------------------------+ 4525 | BulkObservable | 4526 +---------------------------+ 4527 | ENUM type |<>--{0..1}--[ BulkObservableFormat ] 4528 | STRING ext-type |<>----------[ BulkObservableList ] 4529 | |<>--{0..*}--[ AdditionalData ] 4530 +---------------------------+ 4532 Figure 63: The BulkObservable Class 4534 The aggregate classes that constitutes BulkObservable are: 4536 BulkObservableFormat 4537 Zero or one. Provides additional meta-data about the observables 4538 enumerated in the BulkObservableList class. 4540 BulkObservableList 4541 One. STRING. A list of observables, one per line. Each line is 4542 seperated with either a CR or CR-and-LF. The type attribute will 4543 specify the which observables will be listed. 4545 AdditionalData 4546 Zero or more. Mechanism by which to extend the data model. See 4547 Section 3.9. 4549 The BulkObservable class has two attributes: 4551 type 4552 Optional. ENUM. The type of the observable listed in the child 4553 ObservableList class. These values are maintained in the 4554 "BulkObservable-type" IANA registry per Table 1. 4556 1. asn. Autonomous System Number (per the Address@category 4557 attribute). 4559 2. atm. Asynchronous Transfer Mode (ATM) address (per the 4560 Address@category attribute). 4562 3. e-mail. Electronic mail address (RFC 822) (per the 4563 Address@category attribute). 4565 4. ipv4-addr. IPv4 host address in dotted-decimal notation 4566 (e.g., 192.0.2.1) (per the Address@category attribute). 4568 5. ipv4-net. IPv4 network address in dotted-decimal notation, 4569 slash, significant bits (e.g., 192.0.2.0/24) (per the 4570 Address@category attribute). 4572 6. ipv4-net-mask. IPv4 network address in dotted-decimal 4573 notation, slash, network mask in dotted-decimal notation 4574 (i.e., 192.0.2.0/255.255.255.0) (per the Address@category 4575 attribute). 4577 7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the 4578 Address@category attribute). 4580 8. ipv6-net. IPv6 network address, slash, significant bits 4581 (e.g., 2001:DB8::/32) (per the Address@category attribute). 4583 9. ipv6-net-mask. IPv6 network address, slash, network mask 4584 (per the Address@category attribute). 4586 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f) 4587 (per the Address@category attribute). 4589 11. site-uri. A URL or URI for a resource (per the 4590 Address@category attribute). 4592 12. fqdn. Fully qualified domain name. 4594 13. domain-name. A fully qualified domain name or part of a 4595 name. (e.g., fqdn.example.com, example.com). 4597 14. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as 4598 a comma separated list (e.g., "fqdn.example.com, 192.0.2.1"). 4600 15. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as 4601 a comma separated list (e.g., "fqdn.example.com, 4602 2001:DB8::3"). 4604 16. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a 4605 timestamp (in the DATETIME format) of the resolution (e.g., 4606 "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00"). 4608 17. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a 4609 timestamp (in the DATETIME format) of the resolution (e.g., 4610 "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00"). 4612 18. ipv4-port. An IPv4 address, port and protocol tuple (e.g., 4613 192.0.2.1, 80, tcp). The protocol name corresponds to the 4614 "Keyword" column in the [IANA.Protocols] registry. 4616 19. ipv6-port. An IPv6 address, port and protocol tuple (e.g., 4617 2001:DB8::3, 80, tcp). The protocol name corresponds to the 4618 "Keyword" column in the [IANA.Protocols] registry. 4620 20. windows-reg-key. A Microsoft Windows Registry key. 4622 21. file-hash. A file hash. The format of this hash is 4623 described in the Hashclass that MUST be present in a sibling 4624 BulkObservableFormat class. 4626 22. email-x-mailer. An X-Mailer field from an email. 4628 23. email-subject. An email subject line. 4630 24. http-user-agent. A User Agent field from an HTTP request 4631 header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) 4632 Gecko/20100101 Firefox/38.0"). 4634 25. http-request-uri. The Request URI from an HTTP request 4635 header. 4637 26. mutex. The name of a system mutex. 4639 27. file-path. A file path (e.g., "/tmp/local/file", 4640 "c:\windows\system32\file.sys") 4642 28. user-name. A username. 4644 29. ext-value. An escape value used to extend this attribute. 4645 See Section 5.1.1. 4647 ext-type 4648 Optional. STRING. A means by which to extend the type attribute. 4649 See Section 5.1.1. 4651 3.32.3.1.1. BulkObservableFormat Class 4653 The ObservableFormat class specifies meta-data about the format of an 4654 observable enumerated in a sibling BulkObservableList class. 4656 +---------------------------+ 4657 | BulkObservableFormat | 4658 +---------------------------+ 4659 | |<>--{0..1}--[ Hash ] 4660 | |<>--{0..*}--[ AdditionalData ] 4661 +---------------------------+ 4663 Figure 64: The BulkObservableFormat Class 4665 The aggregate classes that constitutes BulkObservableFormat are: 4667 Hash 4668 Zero or one. Describes the format of a hash. 4670 AdditionalData 4671 Zero or more. Mechanism by which to extend the data model. See 4672 Section 3.9. 4674 The BulkObservableFormat class has no attributes. 4676 Either Hash or AdditionalData MUST be present. 4678 3.32.4. IndicatorExpression Class 4680 The IndicatorExpression describes an expression composed of observed 4681 phenomenon or features, or indicators. Elements of the expression 4682 can be described directly, reference relevant data from other parts 4683 of a given IODEF document, or reference previously defined 4684 indicators. 4686 All child classes of a given instance of IndicatorExpression form a 4687 boolean algebraic expression where the operator between them is 4688 determined by the operator attribute. Nesting an IndicatorExpression 4689 in itself is akin to a parenthesis in the expression. 4691 +--------------------------+ 4692 | IndicatorExpression | 4693 +--------------------------+ 4694 | ENUM operator |<>--{0..*}--[ IndicatorExpression ] 4695 | |<>--{0..*}--[ Observable ] 4696 | |<>--{0..*}--[ ObservableReference ] 4697 | |<>--{0..*}--[ IndicatorReference ] 4698 | |<>--{0..*}--[ AdditionalData ] 4699 +--------------------------+ 4701 Figure 65: The IndicatorExpression Class 4703 The aggregate classes that constitute IndicatorExpression are: 4705 IndicatorExpression 4706 Zero or more. An expression composed of other observables or 4707 indicators. 4709 Observable 4710 Zero or more. A description of an observable. 4712 ObservableReference 4713 Zero or more. A reference to another observable. 4715 IndicatorReference 4716 Zero or more. A reference to another indicator. 4718 AdditionalData 4719 Zero or more. Mechanism by which to extend the data model. See 4720 Section 3.9 4722 ... TODO Additional text is required to describe the valid 4723 combinations of classes and how the operator class should be applied 4724 ... 4726 The IndicatorExpression class has one attribute: 4728 operator 4729 Optional. ENUM. The operator to be applied between the child 4730 elements. 4732 1. not. negation operator. 4734 2. and. conjunction operator. 4736 3. or. disjunction operator. 4738 4. xor. exclusive disjunction operator. 4740 3.32.5. ObservableReference Class 4742 The ObservableReference describes a reference to an observable 4743 feature or phenomenon described elsewhere in the document. 4745 This class has no content. 4747 +-------------------------+ 4748 | ObservableReference | 4749 +-------------------------+ 4750 | EMPTY | 4751 | | 4752 | IDREF uid-ref | 4753 +-------------------------+ 4755 Figure 66: The ObservableReference Class 4757 The ObservableReference class has one attributes: 4759 uid-ref 4760 Required. IDREF. An identifier that serves as a reference to a 4761 class in the IODEF document. The referenced class will have this 4762 identifier set in the observable-id attribute. 4764 3.32.6. IndicatorReference Class 4766 The IndicatorReference describes a reference to an indicator. This 4767 reference may be to an indicator described in the IODEF document or 4768 in a previously exchanged IODEF document. 4770 +--------------------------+ 4771 | IndicatorReference | 4772 +--------------------------+ 4773 | EMPTY | 4774 | | 4775 | IDREF uid-ref | 4776 | STRING euid-ref | 4777 | STRING version | 4778 +--------------------------+ 4780 Figure 67: The IndicatorReference Class 4782 The IndicatorReference class has one attributes: 4784 uid-ref 4785 Optional. IDREF. An identifier that serves as a reference to an 4786 Indicator class in the IODEF document. The referenced Indicator 4787 class will have this identifier set in the IndicatorID class. 4789 euid-ref 4790 Optional. STRING. An identifier that references an IndicatorID 4791 not in this IODEF document. 4793 version 4794 Optional. STRING. A version number of an indicator. 4796 Either the uid-ref or the euid-ref attribute MUST be set. 4798 4. Processing Considerations 4800 This section defines additional requirements on creating and parsing 4801 IODEF documents. 4803 4.1. Encoding 4805 Every IODEF document MUST begin with an XML declaration, and MUST 4806 specify the XML version used. The character encoding MUST also be 4807 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16 4808 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD 4809 NOT be used. The IODEF conforms to all XML data encoding conventions 4810 and constraints. 4812 The XML declaration with no character encoding will read as follows: 4814 4816 When a character encoding is specified, the XML declaration will read 4817 like the following: 4819 4821 Where "charset" is the name of the character encoding as registered 4822 with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. 4824 The following characters have special meaning in XML and MUST be 4825 escaped with their entity reference equivalent: "&", "<", ">", "\"" 4826 (double quotation mark), and "'" (apostrophe). These entity 4827 references are "&", "<", ">", """, and "'" 4828 respectively. 4830 4.2. IODEF Namespace 4832 The IODEF schema declares a namespace of 4833 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 4834 Each IODEF document MUST include a valid reference to the IODEF 4835 schema using the "xsi:schemaLocation" attribute. An example of such 4836 a declaration would look as follows: 4838 4981 A given extension attribute MUST NOT be set unless the corresponding 4982 extensible attribute has been set to "ext-value". 4984 5.1.2. Public Extension of Enumerated Values 4986 Select enumerated value of the attributes defined in the data model 4987 can be extended by adding entries to the corresponding IANA registry. 4988 Table 1 enumerates these registries. Section 4.3 discusses the XML 4989 Validation implications of these types of extensions. 4991 5.2. Extending Classes 4993 The classes of the data model can be extended only through the use of 4994 the AdditionalData and RecordItem classes. These container classes, 4995 collectively referred to as the extensible classes, are implemented 4996 with the iodef:ExtensionType data type in the schema. They provide 4997 the ability to have new atomic or XML-encoded data elements in all of 4998 the top-level classes of the Incident class and a few of the more 4999 complicated subordinate classes. As there are multiple instances of 5000 the extensible classes in the data model, there is discretion on 5001 where to add a new data element. It is RECOMMENDED that the 5002 extension be placed in the most closely related class to the new 5003 information. 5005 Extensions using the atomic data types (i.e., all values of the dtype 5006 attributes other than "xml") MUST: 5008 1. Set the element content of extensible class to the desired value, 5009 and 5011 2. Set the dtype attribute to correspond to the data type of the 5012 element content. 5014 The following guidelines exist for extensions using XML: 5016 1. The element content of the extensible class MUST be set to the 5017 desired value and the dtype attribute MUST be set to "xml". 5019 2. The extension schema MUST declare a separate namespace. It is 5020 RECOMMENDED that these extensions have the prefix "iodef-". This 5021 recommendation makes readability of the document easier by 5022 allowing the reader to infer which namespaces relate to IODEF by 5023 inspection. 5025 3. It is RECOMMENDED that extension schemas follow the naming 5026 convention of the IODEF data model. This makes reading an 5027 extended IODEF document look like any other IODEF document. The 5028 names of all elements are capitalized. For elements with 5029 composed names, a capital letter is used for each word. 5030 Attribute names are lower case. Attributes with composed names 5031 are separated by a hyphen. 5033 4. Parsers that encounter an unrecognized element in a namespace 5034 that they do support MUST reject the document as a syntax error. 5036 5. There are security and performance implications in requiring 5037 implementations to dynamically download schemas at run time. 5038 Thus, implementations SHOULD NOT download schemas at runtime, 5039 unless implementations take appropriate precautions and are 5040 prepared for potentially significant network, processing, and 5041 time-out demands. 5043 6. Some users of the IODEF may have private schema definitions that 5044 might not be available on the Internet. In this situation, if a 5045 IODEF document leaks out of the private use space, references to 5046 some of those document schemas may not be resolvable. This has 5047 two implications. First, references to private schemas may never 5048 resolve. As such, in addition to the suggestion that 5049 implementations do not download schemas at runtime mentioned 5050 above, recipients MUST be prepared for a schema definition in an 5051 IODEF document never to resolve. 5053 The following schema and XML document excerpt provide a template for 5054 an extension schema and its use in the IODEF document. 5056 This example schema defines a namespace of "iodef-extension1" and a 5057 single element named "newdata". 5059 5063 attributeFormDefault="unqualified" 5064 elementFormDefault="qualified"> 5065 5069 5070 5072 The following XML excerpt demonstrates the use of the above schema as 5073 an extension to the IODEF. 5075 5082 5083 ... 5084 5085 5086 Field that could not be represented elsewhere 5087 5088 5089 5115 6. Internationalization Issues 5117 Internationalization and localization is of specific concern to the 5118 IODEF, since it is only through collaboration, often across language 5119 barriers, that certain incidents be resolved and threat information 5120 shared. The IODEF supports this goal by depending on XML constructs, 5121 and through explicit design choices in the data model. 5123 Since IODEF is implemented as an XML Schema, it implicitly supports 5124 all the different character encodings, such as UTF-8 and UTF-16, 5125 possible with XML. Additionally, each IODEF document MUST specify 5126 the language in which their contents are encoded. The language can 5127 be specified with the attribute "xml:lang" (per Section 2.12 of 5128 [W3C.XML]) in the top-level element (i.e., IODEF-Document) and 5129 letting all other elements inherit that definition. All IODEF 5130 classes with a free-form text definition (i.e., all those defined of 5131 type iodef:MLStringType) can also specify a language different from 5132 the rest of the document. The valid language codes for the 5133 "xml:lang" attribute are described in [RFC5646]. 5135 The data model supports multiple translations of free-form text. For 5136 classes where free-text is used for descriptive purposes (e.g., 5137 classes of the iodef:MLStringType type such as the Description 5138 class), the given class always has a one-to-many cardinality to its 5139 parent. The intent is to allow the identical text to be encoded in 5140 different instances of the same class, but each being in a different 5141 language. This approach allows an IODEF document author to send 5142 recipients speaking different languages an identical document. The 5143 IODEF parser SHOULD extract the appropriate language relevant to the 5144 recipient. 5146 Related instances of a given iodef:MLStringType class that are 5147 translations of each other are identified by a common identifier set 5148 in the translation-id attribute. The example below shows three 5149 instances of a Description class expressed in three difference 5150 languages. The relationship between these three instances of the 5151 Description class is conveyed by the common value of "1" in the 5152 translation-id attribute. 5154 5156 ... 5157 English 5159 Englisch 5161 Anglais 5164 While the intent of the data model is to provide internationalization 5165 and localization, the intent is not to do so at the detriment of 5166 interoperability. While the IODEF does support different languages, 5167 the data model also relies heavily on standardized enumerated 5168 attributes that can crudely approximate the contents of the document. 5169 With this approach, a CSIRT should be able to make some sense of an 5170 IODEF document it receives even if the text based data elements are 5171 written in a language unfamiliar to the analyst. 5173 7. Examples 5175 This section provides examples of an incident encoded in the IODEF. 5176 These examples do not necessarily represent the only way to encode a 5177 particular incident. 5179 7.1. Worm 5181 An example of a CSIRT reporting an instance of the Code Red worm. 5183 5184 5186 5190 5191 189493 5192 2001-09-13T23:19:24+00:00 5193 Host sending out Code Red probes 5194 5195 5196 5197 5198 5199 Example.com CSIRT 5200 example-com 5201 contact@csirt.example.com 5202 5203 5204 5205 5206 5207
192.0.2.200
5208 57 5209 5210 5211 5212 5213
192.0.2.16/28
5214 5215 5216 80 5218 5219 5220 5221 5222 5223 5224 5225 2001-09-13T18:11:21+02:00 5226 Web-server logs 5227 5228 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? 5229 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5230 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5231 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5232 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5233 5234 5235 5236 http://mylogs.example.com/logs/httpd_access 5237 5238 5239 5240 5241 5243 5244 2001-09-14T08:19:01+00:00 5245 Notification sent to 5246 constituency-contact@192.0.2.200 5247 5248 5249 5250 5252 7.2. Reconnaissance 5254 An example of a CSIRT reporting a scanning activity. 5256 5257 5259 5263 5264 59334 5265 2006-08-02T05:54:02-05:00 5266 5267 5268 5269 5270 5271 5272 nmap 5273 http://nmap.toolsite.example.com 5274 5275 5276 5278 5279 CSIRT for example.com 5280 contact@csirt.example.com 5281 +1 412 555 12345 5282 5284 5285 Joe Smith 5286 smith@csirt.example.com 5287 5288 5289 5290 5296 5297 5298 5299
192.0.2.200
5300 5301 5302 60524,60526,60527,60531 5303 5304 5305 5306 5307
192.0.2.201
5308 5309 5310 137-139,445 5311 5313 5314 5315 5317 5318 5319 5320
192.0.2.240
5321 5322 5323 5324 5325
192.0.2.64/28
5326 5327 5328 445 5329 5330 5331 5332 5333 5334 5336 7.3. Bot-Net Reporting 5338 An example of a CSIRT reporting a bot-network. 5340 5341 5343 5347 5348 908711 5349 2006-06-08T05:44:53-05:00 5350 Large bot-net 5351 5352 5353 5354 5355 5356 5357 GT Bot 5358 5359 5361 5362 CA-2003-22 5363 http://www.cert.org/advisories/CA-2003-22.html 5364 Root compromise via this IE vulnerability to 5365 install the GT Bot 5366 5367 5368 5370 5371 Joe Smith 5372 jsmith@csirt.example.com 5373 5374 5375 These hosts are compromised and acting as bots 5376 communicating with irc.example.com. 5377 5378 5380 5381 5382
192.0.2.1
5383 5384 10000 5385 bot 5386 5387 5388 5389 5390
192.0.2.3
5391 5392 250000 5393 bot 5394 5395 5396 5397 5398 irc.example.com 5399
192.0.2.20
5400 2006-06-08T01:01:03-05:00 5401 5402 5403 IRC server on #give-me-cmd channel 5404 5405 5406 5407 5408 5409 5410 Confirm the source and take machines off-line and 5411 remediate 5412 5413 5414 5415 5416 5418 7.4. Watch List 5420 An example of a CSIRT conveying a watch-list. 5422 5423 5424 5427 5431 5432 908711 5433 2006-08-01T00:00:00-05:00 5434 5435 Watch-list of known bad IPs or networks 5436 5437 5438 5439 5440 5441 5442 CSIRT for example.com 5443 contact@csirt.example.com 5444 5445 5447 5448 5449 5450 5451
192.0.2.53
5452 5453 Source of numerous attacks 5454 5455 5456 5458 5459 5460 5461 5462 5463 5464
192.0.2.16/28
5465 5466 5467 Source of heavy scanning over past 1-month 5468 5469 5470 5471 5472 5473 5474
192.0.2.241
5475 5476 C2 IRC server 5477 5478 5479 5481 5482 5483 5484 5486 8. The IODEF Schema 5488 5497 5499 5502 5505 5506 5507 Incident Object Description Exchange Format v2.0, RFC5070-bis 5508 5509 5511 5516 5517 5518 5519 5521 5523 5524 5526 5527 5529 5531 5533 5534 5535 5540 5541 5542 5543 5544 5546 5549 5551 5553 5555 5557 5558 5560 5562 5564 5566 5568 5570 5572 5574 5576 5577 5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5591 5592 5593 5594 5595 5596 5597 5598 5599 5600 5601 5602 5603 5605 5606 5609 5611 5613 5614 5615 5620 5621 5622 5623 5624 5626 5628 5631 5633 5634 5635 5637 5642 5643 5644 5645 5647 5648 5650 5652 5653 5654 5659 5660 5661 5662 5663 5665 5667 5669 5671 5672 5674 5676 5678 5679 5681 5683 5684 5686 5691 5692 5693 5694 5695 5696 5697 5699 5700 5702 5703 5705 5706 5708 5710 5711 5712 5714 5719 5720 5721 5722 5723 5724 5725 5727 5728 5730 5731 5733 5734 5736 5738 5739 5740 5742 5747 5748 5753 5754 5755 5756 5758 5760 5762 5764 5766 5768 5770 5772 5774 5776 5778 5779 5780 5781 5782 5783 5784 5785 5786 5787 5788 5789 5790 5791 5792 5793 5794 5795 5796 5797 5798 5799 5800 5801 5802 5803 5804 5806 5807 5808 5809 5810 5811 5812 5813 5814 5815 5817 5819 5821 5822 5823 5825 5827 5828 5829 5830 5831 5832 5833 5834 5835 5836 5837 5838 5839 5840 5841 5842 5843 5844 5845 5847 5848 5849 5850 5852 5853 5854 5855 5856 5858 5859 5860 5861 5862 5863 5864 5866 5867 5868 5869 5871 5872 5873 5875 5880 5882 5884 5887 5889 5891 5893 5895 5897 5898 5899 5900 5901 5902 5907 5908 5909 5910 5912 5913 5916 5918 5919 5920 5921 5922 5923 5924 5926 5928 5930 5933 5936 5937 5939 5941 5943 5945 5947 5948 5949 5954 5955 5956 5957 5959 5962 5964 5966 5968 5969 5972 5974 5976 5978 5980 5982 5983 5985 5990 5991 5992 5993 5995 5997 5999 6000 6002 6003 6004 6005 6006 6007 6008 6009 6010 6011 6012 6013 6014 6015 6016 6017 6018 6019 6020 6021 6022 6023 6024 6025 6026 6027 6029 6031 6034 6035 6037 6038 6039 6040 6041 6043 6046 6047 6049 6051 6052 6054 6059 6060 6061 6062 6063 6064 6065 6066 6068 6069 6071 6073 6074 6076 6081 6082 6083 6084 6086 6088 6090 6091 6093 6094 6096 6101 6102 6103 6104 6107 6108 6109 6111 6112 6113 6115 6116 6118 6121 6122 6124 6125 6126 6127 6128 6129 6131 6132 6133 6134 6136 6138 6140 6141 6143 6144 6145 6146 6147 6149 6150 6151 6152 6153 6154 6155 6156 6157 6159 6160 6161 6162 6163 6164 6165 6166 6167 6168 6169 6170 6171 6172 6173 6174 6175 6176 6177 6178 6179 6180 6181 6182 6183 6184 6185 6186 6187 6188 6190 6191 6192 6193 6194 6195 6196 6197 6199 6200 6201 6202 6203 6204 6205 6206 6207 6208 6209 6210 6212 6214 6215 6216 6217 6218 6219 6220 6221 6222 6223 6224 6225 6226 6227 6228 6229 6230 6231 6232 6234 6235 6236 6238 6239 6240 6241 6242 6244 6246 6247 6248 6249 6250 6251 6252 6253 6254 6255 6257 6258 6259 6260 6261 6262 6263 6264 6265 6267 6269 6270 6271 6272 6274 6275 6276 6277 6278 6279 6280 6281 6282 6283 6284 6285 6286 6287 6288 6289 6294 6295 6296 6297 6299 6301 6303 6305 6307 6309 6311 6313 6315 6317 6319 6321 6324 6326 6328 6329 6332 6334 6336 6337 6338 6343 6347 6348 6349 6350 6352 6353 6354 6355 6360 6361 6362 6363 6364 6366 6368 6370 6373 6375 6377 6379 6380 6382 6384 6385 6386 6387 6388 6389 6390 6391 6392 6393 6394 6395 6396 6398 6400 6402 6404 6405 6406 6407 6408 6409 6410 6411 6412 6413 6414 6415 6416 6417 6419 6420 6422 6427 6428 6429 6430 6431 6433 6435 6436 6438 6440 6442 6444 6445 6446 6447 6448 6449 6450 6451 6452 6453 6454 6455 6456 6457 6458 6459 6460 6461 6462 6463 6464 6465 6466 6467 6468 6469 6471 6473 6475 6477 6478 6479 6480 6482 6484 6485 6486 6487 6488 6489 6490 6491 6492 6493 6494 6495 6496 6497 6498 6499 6500 6501 6502 6503 6504 6505 6506 6507 6508 6509 6510 6511 6512 6513 6514 6515 6516 6517 6518 6519 6520 6521 6522 6523 6524 6525 6526 6527 6528 6529 6530 6531 6532 6533 6534 6535 6536 6537 6538 6539 6540 6541 6542 6543 6544 6545 6546 6547 6548 6550 6551 6552 6553 6554 6556 6561 6562 6563 6564 6567 6568 6570 6572 6573 6575 6577 6579 6582 6583 6585 6586 6588 6590 6591 6592 6593 6594 6595 6596 6597 6602 6603 6604 6605 6606 6608 6609 6610 6611 6612 6613 6614 6616 6617 6619 6620 6621 6622 6623 6624 6625 6626 6627 6628 6629 6630 6631 6632 6633 6634 6635 6636 6637 6639 6641 6643 6645 6646 6647 6648 6650 6655 6656 6657 6658 6660 6662 6665 6668 6670 6672 6673 6675 6676 6678 6683 6684 6685 6686 6688 6691 6694 6697 6700 6702 6704 6706 6707 6708 6709 6710 6711 6712 6713 6714 6715 6716 6717 6718 6720 6721 6722 6723 6724 6725 6726 6727 6728 6729 6730 6731 6732 6733 6734 6735 6736 6737 6739 6741 6742 6744 6746 6747 6748 6749 6750 6751 6752 6753 6754 6755 6756 6757 6758 6759 6760 6761 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 6772 6773 6774 6775 6776 6777 6778 6779 6780 6781 6782 6783 6784 6785 6786 6787 6788 6789 6790 6791 6792 6793 6794 6796 6797 6798 6799 6800 6801 6802 6803 6805 6806 6807 6808 6810 6812 6813 6814 6816 6821 6822 6823 6824 6826 6827 6829 6831 6832 6833 6834 6835 6836 6838 6840 6842 6844 6846 6848 6850 6852 6854 6855 6857 6859 6861 6862 6864 6865 6866 6867 6868 6869 6870 6871 6872 6873 6874 6875 6876 6877 6878 6880 6882 6884 6885 6886 6887 6888 6889 6890 6891 6892 6894 6896 6897 6898 6899 6900 6902 6907 6908 6909 6910 6911 6912 6913 6914 6916 6917 6918 6919 6920 6921 6922 6923 6924 6925 6926 6927 6928 6929 6930 6932 6933 6934 6935 6937 6938 6940 6946 6947 6948 6949 6951 6952 6954 6956 6958 6959 6961 6962 6963 6964 6966 6968 6970 6972 6974 6976 6978 6980 6981 6983 6984 6986 6989 6995 6996 6997 6998 7001 7003 7005 7006 7007 7008 7009 7010 7011 7012 7013 7014 7015 7016 7017 7018 7019 7020 7021 7023 7024 7026 7027 7028 7029 7030 7031 7032 7034 7035 7036 7038 7039 7040 7041 7042 7044 7045 7046 7048 7054 7055 7056 7057 7059 7060 7061 7063 7069 7070 7071 7072 7074 7075 7077 7079 7081 7082 7084 7085 7086 7087 7088 7089 7091 7092 7094 7099 7100 7101 7103 7104 7106 7108 7110 7112 7114 7116 7118 7119 7121 7124 7129 7130 7131 7132 7134 7135 7136 7138 7139 7140 7141 7142 7144 7146 7148 7150 7152 7154 7155 7156 7157 7158 7159 7160 7161 7163 7165 7166 7168 7169 7170 7171 7172 7174 7176 7177 7178 7179 7181 7182 7183 7184 7186 7187 7189 7191 7192 7193 7194 7195 7196 7198 7200 7202 7205 7207 7209 7211 7213 7215 7217 7219 7221 7223 7225 7227 7228 7230 7232 7233 7235 7236 7237 7238 7240 7242 7243 7245 7246 7247 7248 7249 7250 7251 7252 7253 7254 7255 7256 7257 7258 7259 7260 7261 7262 7263 7264 7265 7266 7267 7268 7269 7270 7271 7272 7273 7274 7275 7276 7277 7278 7280 7281 7283 7284 7285 7286 7288 7290 7291 7292 7294 7295 7296 7297 7298 7300 7302 7304 7306 7307 7309 7310 7311 7312 7313 7314 7315 7316 7317 7318 7319 7320 7321 7323 7324 7325 7327 7328 7330 7331 7332 7334 7337 7339 7340 7341 7346 7348 7350 7355 7356 7357 7358 7359 7361 7362 7363 7364 7366 7367 7368 7369 7371 7372 7373 7375 7376 7378 7380 7382 7384 7386 7388 7389 7390 7392 7393 7395 7397 7399 7402 7404 7406 7411 7412 7413 7414 7415 7416 7418 7419 7420 7421 7422 7423 7424 7426 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 7438 7439 7441 7442 7443 7444 7445 7446 7447 7448 7449 7450 7451 7452 7453 7454 7455 7456 7457 7458 7459 7461 7462 7463 7464 7465 7466 7467 7468 7469 7470 7471 7472 7473 7474 7475 7476 7477 7478 7479 7480 7481 7482 7483 7484 7485 7486 7487 7489 7490 7491 7492 7493 7494 7495 7496 7497 7498 7499 7500 7501 7502 7503 7504 7505 7506 7507 7508 7509 7510 7511 7512 7513 7515 7516 7517 7518 7519 7520 7521 7522 7523 7524 7525 7526 7527 7528 7530 7532 9. Security Considerations 7534 The IODEF data model itself does not directly introduce security 7535 issues. Rather, it simply defines a representation for incident 7536 information. As the data encoded by the IODEF might be considered 7537 privacy sensitive by the parties exchanging the information or by 7538 those described by it, care needs to be taken in ensuring the 7539 appropriate disclosure during both document exchange and subsequent 7540 processing. The former must be handled by a messaging format, but 7541 the latter risk must be addressed by the systems that process, store, 7542 and archive IODEF documents and information derived from them. 7544 Executable content could be embedded into the IODEF document directly 7545 or through an extension. The IODEF parser should handle this content 7546 with care to prevent unintentional automated execution. 7548 The contents of an IODEF document may include a request for action or 7549 an IODEF parser may independently have logic to take certain actions 7550 based on information that it finds. For this reason, care must be 7551 taken by the parser to properly authenticate the recipient of the 7552 document and ascribe an appropriate confidence to the data prior to 7553 action. 7555 The underlying messaging format and protocol used to exchange 7556 instances of the IODEF MUST provide appropriate guarantees of 7557 confidentiality, integrity, and authenticity. The use of a 7558 standardized security protocol is encouraged. The Real-time Inter- 7559 network Defense (RID) protocol [RFC6545] and its associated transport 7560 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 7562 In order to suggest data processing and handling guidelines of the 7563 encoded information, the IODEF allows a document sender to convey a 7564 privacy policy using the restriction attribute. The various 7565 instances of this attribute allow different data elements of the 7566 document to be covered by dissimilar policies. While flexible, it 7567 must be stressed that this approach only serves as a guideline from 7568 the sender, as the recipient is free to ignore it. The issue of 7569 enforcement is not a technical problem. 7571 10. IANA Considerations 7573 This document registers a namespace, XML schema, and a number of 7574 registries that map to enumerated values defined in the schema. 7576 10.1. Namespace and Schema 7578 This document uses URNs to describe an XML namespace and schema 7579 conforming to a registry mechanism described in [RFC3688] 7581 Registration for the IODEF namespace: 7583 o URI: urn:ietf:params:xml:ns:iodef-2.0 7585 o Registrant Contact: See the first author of the "Author's Address" 7586 section of this document. 7588 o XML: None. Namespace URIs do not represent an XML specification. 7590 Registration for the IODEF XML schema: 7592 o URI: urn:ietf:params:xml:schema:iodef-2.0 7594 o Registrant Contact: See the first author of the "Author's Address" 7595 section of this document. 7597 o XML: See the "IODEF Schema" in Section 8 of this document. 7599 10.2. Enumerated Value Registries 7601 This document creates xx identically structured registries to be 7602 managed by IANA: 7604 o Name of the parent registry: "Incident Object Description Exchange 7605 Format v2 (IODEF)" 7607 o URL of the registry: http://www.iana.org/assignments/iodef2 7609 o Namespace format: A registry entry consists of: 7611 * Value. An enumerated value for a given IODEF attribute. 7613 * Description. A short description of the enumerated value. 7615 * Reference. An optional list of URIs to further describe the 7616 value. 7618 o Allocation policy: Expert Review per [RFC5226] 7620 The registries to be created are named in the table below in the 7621 "Registry Name" column. The initial values for the Value and 7622 Description fields of a given registry are listed in the "IV (Value)" 7623 and "IV (Description)" columns respectively. The "IV (Value)" points 7624 to a given schema attribute or type per Section 8. Each enumerated 7625 value in the schema gets a corresponding entry in a given registry. 7626 The "IV (Description)" points to a section in the text of this 7627 document. The initial value of the Reference field of every registry 7628 entry described below should be this document. 7630 +--------------------------+-----------------------+----------------+ 7631 | Registry Name | IV (Value) | IV | 7632 | | | (Description) | 7633 +--------------------------+-----------------------+----------------+ 7634 | Restriction | iodef-restriction- | Section 3.3.1 | 7635 | | type | | 7636 | | | | 7637 | Incident-purpose | Incident@purpose | Section 3.2 | 7638 | | | | 7639 | Incident-status | Incident@status | Section 3.2 | 7640 | | | | 7641 | Contact-role | Contact@role | Section 3.10 | 7642 | | | | 7643 | Contact-type | Contact@type | Section 3.10 | 7644 | | | | 7645 | RegistryHandle-registry | RegistryHandle@regist | Section 3.10.1 | 7646 | | ry | | 7647 | | | | 7648 | Expectation-action | iodef:action-type | Section 3.17 | 7649 | | | | 7650 | Discovery-source | Discovery@source | Section 3.12 | 7651 | | | | 7652 | SystemImpact-type | SystemImpact@type | Section 3.14.1 | 7653 | | | | 7654 | BusinessImpact-severity | BusinessImpact@severi | Section 3.14.2 | 7655 | | ty | | 7656 | | | | 7657 | BusinessImpact-type | BusinessImpact@type | Section 3.14.2 | 7658 | | | | 7659 | TimeImpact-metrics | TimeImpact@metric | Section 3.14.3 | 7660 | | | | 7661 | TimeImpact-duration | iodef:duration-type | Section 3.14.3 | 7662 | | | | 7663 | NodeRole-category | NodeRole@category | Section 3.20.2 | 7664 | | | | 7665 | System-category | System@category | Section 3.19 | 7666 | | | | 7667 | System-ownership | System@ownership | Section 3.19 | 7668 | | | | 7669 | Address-category | Address@category | Section 3.20.1 | 7670 | | | | 7671 | Counter-type | Counter@type | Section 3.20.3 | 7672 | | | | 7673 | Counter-unit | Counter@unit | Section 3.20.3 | 7674 | | | | 7675 | DomainData-system-status | DomainData@system- | Section 3.21 | 7676 | | status | | 7677 | | | | 7678 | DomainData-domain-status | DomainData@domain- | Section 3.21 | 7679 | | status | | 7680 | | | | 7681 | RelatedDNS-record-type | RelatedDNS@record- | Section 3.21.1 | 7682 | | type | | 7683 | | | | 7684 | RecordPattern-type | RecordPattern@type | Section 3.25.2 | 7685 | | | | 7686 | RecordPattern-offsetunit | RecordPattern@offsetu | Section 3.25.2 | 7687 | | nit | | 7688 | | | | 7689 | Key-registryaction | Key@registryaction | Section 3.26.1 | 7690 | | | | 7691 | HashData-scope | HashData@scope | Section 3.29 | 7692 | | | | 7693 | BulkObservable-type | BulkObservable@type | Section | 7694 | | | 3.32.3.1 | 7695 | | | | 7696 | AdditionalData-dtype | iodef:dtype-type | Section 3.9 | 7697 | | | | 7698 | EmailHeaderField-proto- | iodef:proto-dtype- | Section 3.22.1 | 7699 | dtype | type | | 7700 +--------------------------+-----------------------+----------------+ 7702 Table 1: IANA Enumerated Value Registries 7704 11. Acknowledgments 7706 The following groups and individuals, listed alphabetically, 7707 contributed substantially to this document and should be recognized 7708 for their efforts. 7710 o Kathleen Moriarty, EMC Corporation 7712 o Brian Trammell, ETH Zurich 7714 o Patrick Cain, Cooper-Cain Group, Inc. 7716 o ... TODO many more to add ... 7718 12. References 7720 12.1. Normative References 7722 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 7723 (XML) 1.0 (Second Edition)", W3C Recommendation , October 7724 2000, . 7726 [W3C.SCHEMA] 7727 World Wide Web Consortium, "XML XML Schema Part 1: 7728 Structures Second Edition", W3C Recommendation , October 7729 2004, . 7731 [W3C.SCHEMA.DTYPES] 7732 World Wide Web Consortium, "XML Schema Part 2: Datatypes 7733 Second Edition", W3C Recommendation , October 2004, 7734 . 7736 [W3C.XMLNS] 7737 World Wide Web Consortium, "Namespaces in XML", W3C 7738 Recommendation , January 1999, 7739 . 7741 [W3C.XPATH] 7742 World Wide Web Consortium, "XML Path Language (XPath) 7743 2.0", W3C Candidate Recommendation , June 2006, 7744 . 7746 [W3C.XMLSIG] 7747 World Wide Web Consortium, "XML Signature Syntax and 7748 Processing 2.0", W3C Candidate Recommendation , June 2008, 7749 . 7751 [IEEE.POSIX] 7752 Institute of Electrical and Electronics Engineers, 7753 "Information Technology - Portable Operating System 7754 Interface (POSIX) - Part 1: Base Definitions", IEEE 7755 1003.1, June 2001. 7757 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7758 Requirement Levels", RFC 2119, March 1997. 7760 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of 7761 Languages", RFC 5646, September 2009. 7763 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7764 Resource Identifiers (URI): Generic Syntax", RFC 3986, 7765 January 2005`. 7767 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 7768 Procedures", BCP 2978, October 2000. 7770 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 7771 June 2006. 7773 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 7774 2008. 7776 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 7777 Timestamps", RFC 3339, July 2002. 7779 [RFC-ENUM] 7780 Montville, A. and D. Black, "IODEF Enumeration Reference 7781 Format", RFC ENUM, January 2015. 7783 [ISO8601] International Organization for Standardization, 7784 "International Standard: Data elements and interchange 7785 formats - Information interchange - Representation of 7786 dates and times", ISO 8601, Second Edition, December 2000. 7788 [ISO4217] International Organization for Standardization, 7789 "International Standard: Codes for the representation of 7790 currencies and funds, ISO 4217:2001", ISO 4217:2001, 7791 August 2001. 7793 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 7794 2004. 7796 [IANA.Ports] 7797 Internet Assigned Numbers Authority, "Service Name and 7798 Transport Protocol Port Number Registry", January 2014, 7799 . 7802 [IANA.Protocols] 7803 Internet Assigned Numbers Authority, "Assigned Internet 7804 Protocol Numbers", January 2014, 7805 . 7808 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 7809 10646", RFC 3629, November 2003. 7811 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 7812 10646", RFC 2781, February 2000. 7814 [IANA.Media] 7815 Internet Assigned Numbers Authority, "Media Types", March 7816 2015, . 7819 12.2. Informative References 7821 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident 7822 Object Description Exchange Format", RFC 5070, December 7823 2007. 7825 [refs.requirements] 7826 Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements 7827 for the Format for Incident Information Exchange (FINE)", 7828 Work in Progress, June 2006. 7830 [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, 7831 "Intrusion Detection Message Exchange Format", RFC 4765, 7832 March 2007. 7834 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 7835 6545, April 2012. 7837 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 7838 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 7839 2012. 7841 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 7842 Class for Reporting Phishing", RFC 5901, July 2010. 7844 [NIST800.61rev2] 7845 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 7846 "NIST Special Publication 800-61 Revision 2: Computer 7847 Security Incident Handling Guide", January 2012, 7848 . 7851 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 7852 Type for the Internet Registry Information Service 7853 (IRIS)", RFC 3982, January 2005. 7855 [KB310516] 7856 Microsoft Corporation, "How to add, modify, or delete 7857 registry subkeys and values by using a registration 7858 entries (.reg) file", December 2007. 7860 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 7861 Separated Values (CSV) File", RFC 4180, October 2005. 7863 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 7864 IANA Considerations Section in RFCs", RFC 5226, May 2008. 7866 Authors' Addresses 7868 Roman Danyliw 7869 CERT - Software Engineering Institute 7870 Pittsburgh, PA 7871 USA 7873 EMail: rdd@cert.org 7875 Paul Stoecker 7876 RSA 7877 Reston, VA 7878 USA 7880 EMail: paul.stoecker@rsa.com