idnits 2.17.1 draft-ietf-mile-rfc5070-bis-21.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 10, 2016) is 2879 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 7155, but not defined == Missing Reference: '0-4' is mentioned on line 7155, but not defined == Missing Reference: '0-5' is mentioned on line 7155, but not defined == Missing Reference: 'O1' is mentioned on line 4882, but not defined == Missing Reference: 'O2' is mentioned on line 4883, but not defined == Missing Reference: 'O3' is mentioned on line 4872, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' ** Downref: Normative reference to an Informational RFC: RFC 2781 -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO19770' -- Obsolete informational reference (is this intentional?): RFC 5070 (Obsoleted by RFC 7970) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 10 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) May 10, 2016 5 Intended status: Standards Track 6 Expires: November 11, 2016 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-21 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation for security incident reports and cyber 15 indicators commonly exchanged by operational security teams for 16 mitigation and watch and warning. This document describes an updated 17 information model for the IODEF and provides an associated data model 18 specified with XML Schema. This new information and data model 19 obsoletes Request for Comment (RFC) 5070, "The Incident Object 20 Description Exchange Format". 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on November 11, 2016. 39 Copyright Notice 41 Copyright (c) 2016 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 This document may contain material from IETF Documents or IETF 55 Contributions published or made publicly available before November 56 10, 2008. The person(s) controlling the copyright in some of this 57 material may not have granted the IETF Trust the right to allow 58 modifications of such material outside the IETF Standards Process. 59 Without obtaining an adequate license from the person(s) controlling 60 the copyright in such materials, this document may not be modified 61 outside the IETF Standards Process, and derivative works of it may 62 not be created outside the IETF Standards Process, except to format 63 it for publication as an RFC or to translate it into languages other 64 than English. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 69 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 70 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 71 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6 72 1.4. Changelog . . . . . . . . . . . . . . . . . . . . . . . . 7 73 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 74 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 75 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 76 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 77 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 78 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10 79 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10 80 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 10 81 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 82 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11 83 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 84 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 85 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 86 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11 87 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12 88 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12 89 2.14. Identifiers and Identifier References . . . . . . . . . . 12 90 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12 91 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13 92 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 14 93 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17 94 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17 95 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 18 96 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22 97 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22 98 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 23 99 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 24 100 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 25 101 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 25 102 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 27 103 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 28 104 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29 105 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 32 106 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33 107 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34 108 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35 109 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36 110 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 38 111 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 39 112 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 40 113 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41 114 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 43 115 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 45 116 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 47 117 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 49 118 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 50 119 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 51 120 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52 121 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54 122 3.14.1. Relating the Incident and EventData Classes . . . . 56 123 3.14.2. Recursive Definition of EventData . . . . . . . . . 56 124 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 57 125 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 60 126 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61 127 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 64 128 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 65 129 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 66 130 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 69 131 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 72 132 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 74 133 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 75 134 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 75 135 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 77 136 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 78 137 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78 138 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 80 139 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 81 140 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 82 141 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84 142 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85 143 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 86 144 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 86 146 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 87 147 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 88 148 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89 149 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91 150 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91 151 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 92 152 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93 153 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93 154 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96 155 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96 156 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97 157 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103 158 3.29.5. Expressions with IndicatorExpression . . . . . . . . 104 159 3.29.6. ObservableReference Class . . . . . . . . . . . . . 106 160 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 106 161 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 107 162 4. Processing Considerations . . . . . . . . . . . . . . . . . . 108 163 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 108 164 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 109 165 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109 166 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 109 167 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 110 168 5.1. Extending the Enumerated Values of Attributes . . . . . . 110 169 5.1.1. Private Extension of Enumerated Values . . . . . . . 111 170 5.1.2. Public Extension of Enumerated Values . . . . . . . . 111 171 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 111 172 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 113 173 6. Internationalization Issues . . . . . . . . . . . . . . . . . 114 174 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 115 175 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 115 176 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116 177 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 117 178 9. Security Considerations . . . . . . . . . . . . . . . . . . . 157 179 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157 180 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 157 181 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 158 182 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 158 183 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 158 184 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 161 185 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 161 186 12.1. Normative References . . . . . . . . . . . . . . . . . . 161 187 12.2. Informative References . . . . . . . . . . . . . . . . . 164 188 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 165 190 1. Introduction 192 Organizations require help from other parties to mitigate malicious 193 activity targeting their network and to gain insight into potential 194 threats. This coordination might entail working with an ISP to 195 filter attack traffic, contacting a remote site to take down a 196 botnet, or sharing watch-lists of known malicious indicators in a 197 consortium. 199 The Incident Object Description Exchange Format (IODEF) is a format 200 for representing computer security information commonly exchanged 201 between Computer Security Incident Response Teams (CSIRTs). It 202 provides an XML representation for conveying: 204 o cyber intelligence to characterize threats; 206 o cyber incident reports to document particular cyber security 207 events or relationships between events; 209 o cyber event mitigation activity to proactively and reactively 210 mitigate activity; and 212 o meta-data so that these various classes of information can be 213 exchanged among parties. 215 The purpose of the IODEF is to enhance the operational capabilities 216 of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT 217 to resolve security incidents; understand cyber threats; and 218 coordinate response activities and proactive mitigations by 219 simplifying collaboration and data sharing with its partners. This 220 structured format provided by the IODEF allows for: 222 o machine-to-machine exchange of incident and cyber intelligence 223 data; 225 o automated processing of this data whereby allowing more rapid 226 execution of appropriate courses of action; and 228 o the development of an ecosystem of interoperable tools enabling 229 security operations. 231 Sharing and coordinating with other organizations is not strictly a 232 technical problem. There are numerous procedural, cultural, legal 233 and trust-related barriers to overcome. The IODEF does not attempt 234 to address them directly. However, operational implementations of 235 the IODEF will need to consider these challenges. 237 Section 1 provides the background for the IODEF. Sections 3 and 8 238 specify the IODEF information and data model respectively. The data 239 types used in this document are described in Section 2. Processing 240 considerations, extending the specification, internationalization and 241 security issues are covered in Sections 4, 5, 6 and 9 respectively. 242 Examples are listed in Section 7. 244 1.1. Terminology 246 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 247 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 248 document are to be interpreted as described in [RFC2119]. 250 1.2. Notations 252 The IODEF is specified as an Extensible Markup Language (XML) 253 [W3C.XML] Schema [W3C.SCHEMA]. The normative IODEF data model is 254 found in the XML schema in Section 8. To aid in the understanding of 255 the data elements, Section 3 also depicts the underlying information 256 model using Unified Modeling Language (UML). This abstract 257 presentation of the IODEF is not normative. 259 For clarity in this document, the term "XML document" will be used 260 when referring generically to any instance of an XML document. The 261 term "IODEF document" will be used to refer to an XML document 262 conforming to the IODEF specification. The terms "schema" will be 263 used to refer to Section 8 of this document. The terms "data model" 264 and "schema" will be used interchangeably. The terms "class" and 265 "element" will be used to reference either the corresponding data 266 element in the UML-based information or XML Schema-based data models, 267 respectively. 269 1.3. About the IODEF Data Model 271 A number of considerations were made in the design of the IODEF data 272 model. 274 o The data model found in this document is an evolution of the one 275 previously specified in [RFC5070]. New fields were added to 276 represent additional information. [RFC5070] was developed 277 primarily to represent incident reports. This document builds 278 upon it by adding support for cyber indicators and revising it to 279 reflect the current challenges faced by CSIRTs. An attempt was 280 made to preserve backward compatibility but this was not possible 281 in all cases. See Section 4.4. This document obsoletes 282 [RFC5070]. 284 o The IODEF is a transport format. Therefore, the data model may 285 not be the optimal archival or in-memory processing format. 287 o The IODEF is intended to be a framework to convey only commonly 288 exchanged information. It ensures that there are mechanisms for 289 extensibility to support organization-specific information and 290 techniques to reference information kept outside of the data 291 model. 293 o Not all commonly exchanged information has a well-defined format 294 or taxonomy. The IODEF attempts to strike a balance between 295 enforcing sufficient structure to allow automated processing and 296 supporting free-form content that enables maximum flexibility. 298 o The IODEF fits into a broader ecosystem of standards and 299 conventions. An attempt was made to harmonize the data model with 300 this context. 302 1.4. Changelog 304 A detailed list of additions made to the [RFC5070] data model are 305 enumerated in this section. See Section 4.4 for a list of 306 incompatible changes. 308 o Updated the data types (Section 2) to improve 309 internationalization, clarify ambiguity, and ensure consistency in 310 extensions. 312 o Added the observable-id attribute (Section 3.3.2) and 313 IndicatorData (Section 3.28) class (Section 3.28) to represent 314 indicators. 316 o Added the private-enum-name and -id attributes to the IODEF- 317 Document class (Section 3.1) to disambiguate private extensions. 319 o Updated the Incident class (Section 3.2) to represent additional 320 timing and workflow information. 322 o Added the ThreatActor (Section 3.7) and Campaign (Section 3.8) 323 classes to represent attack attribution information. 325 o Updated the Contact class (Section 3.9) and its children to 326 improve internationalization and represent additional information 327 about an entity. 329 o Updated the Method class (Section 3.11) to improve extensibility 330 through externally referenced resources. 332 o Added the Discovery class (Section 3.10) to describe how an 333 incident was discovered. 335 o Updated the Assessment class (Section 3.12) to enable more 336 descriptive characterizations of the impact of an incident. 338 o Updated the HistoryItem (Section 3.13.1) and Expectation 339 (Section 3.15) classes to support a reference to a course of 340 action. 342 o Updated the EventData class (Section 3.14) with additional meta- 343 data added to the Incident class. 345 o Updated the System (Section 3.17) class with additional meta-data. 347 o Updated the Counter class (Section 3.18.3) to support additional 348 rate metrics. 350 o Added the DomainData (Section 3.19), EmailData (Section 3.21), 351 WindowsRegistryKeysModified (Section 3.23), CertificateData 352 (Section 3.24) and FileData (Section 3.25) to improve the 353 description of an incident and support this data as indicators. 355 o Added the SignatureData (Section 3.27) and HashData classes 356 (Section 3.26) to represent digital signatures and hashes. 358 o Added support for public enumerated attribute extensions using 359 IANA registries (Section 5.1.2). 361 o Updated numerous enumerated attributes for completeness. 363 2. IODEF Data Types 365 The IODEF uses a number of simple and complex types. This section 366 describes these data types. 368 2.1. Integers 370 An integer is represented in the information model by the INTEGER 371 data type. Integer data MUST be encoded in Base 10. 373 The INTEGER data type is implemented in the data model as a 374 "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES]. 376 2.2. Real Numbers 378 A real (floating-point) number is represented in the information 379 model by the REAL data type. Real data MUST be encoded in Base 10. 381 The REAL data type is implemented in the data model as a "xs:float" 382 type per Section 3.2.4 of [W3C.SCHEMA.DTYPES]. 384 2.3. Characters and Strings 386 A single character is represented in the information model by the 387 CHARACTER data type. A string is represented by the STRING data 388 type. Special characters MUST be encoded using entity references. 389 See Section 4.1. 391 The CHARACTER and STRING data types are implemented in the data model 392 as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. 394 2.4. Multilingual Strings 396 A string that needs to be represented in a human-readable language 397 different than the default encoding of the document is represented in 398 the information model by the ML_STRING data type. 400 The ML_STRING data type is implemented in the data model as the 401 "iodef:MLStringType" type. This type extends the "xs:string" to 402 include two attributes. 404 +------------------------+ 405 | iodef:MLStringType | 406 +------------------------+ 407 | xs:string | 408 | | 409 | ENUM xml:lang | 410 | STRING translation-id | 411 +------------------------+ 413 Figure 1: The iodef:MLStringType Type 415 The content of the class is a character string of type "xs:string" 416 whose language MAY be specified by the xml:lang attribute. 418 The attributes of the iodef:MLStringType type are: 420 xml:lang 421 Optional. ENUM. A language identifier per Section 2.12 of 422 [W3C.XML] whose values and format are described in [RFC5646]. The 423 interpretation of this code is described in Section 6. 425 translation-id 426 Optional. STRING. An identifier to relate other instances of 427 this class with the same parent as translations of this text. The 428 scope of this identifier is limited to all of the direct, peer 429 child classes of a given parent class. 431 Using this class enables representing translations of the same text 432 in multiple languages. Each translation is a distinct instance of 433 this class with a common parent. A group of classes each with a 434 translated instance of text is related by setting a common identifier 435 in the translation-id attribute. The language of a given class is 436 set by the xml:lang attribute. See Section 6 for more details on 437 representing translations of free-form text. 439 2.5. Binary Strings 441 Binary octets can be represented with two encodings. 443 2.5.1. Base64 Bytes 445 A binary octet encoded with Base64 is represented in the information 446 model by the BYTE data type. A sequence of these octets is of the 447 BYTE[] data type. 449 The BYTE and BYTE[] data types are implemented in the data model as a 450 "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES]. 452 2.5.2. Hexadecimal Bytes 454 A binary octet encoded as a character tuple consistent of two 455 hexadecimal digits is represented in the information model by the 456 HEXBIN data type. A sequence of these octets is of the HEXBIN[] data 457 type. 459 The HEXBIN and HEXBIN[] data types are implemented in the data model 460 as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES]. 462 2.6. Enumerated Types 464 An enumerated type is represented in the information model by the 465 ENUM data type. It is an ordered list of acceptable string values. 466 Each value has a representative keyword. Within the data model, the 467 enumerated type keywords are used as attribute values. 469 The ENUM data type is implemented in the data model as values of a 470 "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES]. 472 2.7. Date-Time String 474 A date-time strings that describes a particular instant in time is 475 represented in the information model by the DATETIME data type. 476 Ranges are not supported. 478 The DATETIME data type is implemented in the data model as a 479 "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES]. 481 2.8. Timezone String 483 A timezone offset from UTC is represented in the information model by 484 the TIMEZONE data type. It is formatted according to the following 485 regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 487 The TIMEZONE data type is implemented in the data model as an 488 "iodef:TimezoneType" type. 490 2.9. Port Lists 492 A list of network ports is represented in the information model by 493 the PORTLIST data type. A PORTLIST consists of a comma-separated 494 list of numbers and ranges (N-M means ports N through M, inclusive). 495 It is formatted according to the following regular expression: 496 "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, 497 "2,5-15,30,32,40-50,55-60". 499 The PORTLIST data type is implemented in the data model as an 500 "iodef:PortlistType" type. 502 2.10. Postal Address 504 A postal address is represented in the information model by the 505 POSTAL data type. The format of the POSTAL data type is documented 506 in Section 2.23 of [RFC4519] as a free-form multi-line string 507 separated by the "$" character. 509 The POSTAL data type is implemented in the data model as an 510 "iodef:MLStringType" type. 512 2.11. Telephone Number 514 A telephone number is represented in the information model by the 515 PHONE data type. The format of the PHONE data type is documented in 516 Section 2.35 of [RFC4519]. 518 The PHONE data type is implemented in the data model as a "xs:string" 519 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. 521 2.12. Email String 523 An email address is represented in the information model by the EMAIL 524 data type. The format of the EMAIL data type is documented in 525 Section 3.4.1 [RFC5322]. 527 The EMAIL data type is implemented in the data model as a "xs:string" 528 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. 530 2.13. Uniform Resource Locator strings 532 A uniform resource locator (URL) is represented in the information 533 model by the URL data type. The format of the URL data type is 534 documented in [RFC3986]. 536 The URL data type is implemented as a "xs:anyURI" type per 537 Section 3.2.17 of [W3C.SCHEMA.DTYPES]. 539 2.14. Identifiers and Identifier References 541 An identifier unique to the IODEF document is represented in the 542 information model by the ID data type. A reference to this 543 identifier is represented by the IDREF data type. 545 The ID and IDREF data types are implemented in the model as "xs:ID" 546 and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of 547 [W3C.SCHEMA.DTYPES]. 549 2.15. Software 551 A particular version of software is represented in the information 552 model by the SOFTWARE data type. This software can be described by 553 using a reference, a URL or with free-form text. 555 The SOFTWARE data type is implemented in the data model as the 556 "iodef:SoftwareType" type. 558 +--------------------+ 559 | iodef:SoftwareType | 560 +--------------------+ 561 | |<>--{0..1}--[ SoftwareReference ] 562 | |<>--{0..*}--[ URL ] 563 | |<>--{0..*}--[ Description ] 564 +--------------------+ 566 Figure 2: The SoftwareType Type 568 The aggregate classes of the SoftwareType type are: 570 SoftwareReference 571 Zero or one. Reference to a software application. See 572 Section 2.15.1. 574 URL 575 Zero or more. URL. A URL to a resource describing the software. 577 Description 578 Zero or more. ML_STRING. A free-form text description of the 579 software. 581 At least one of these classes MUST be present. 583 The iodef:SoftwareType type has no attributes. 585 2.15.1. SoftwareReference Class 587 The SoftwareReference class is a reference to a particular version of 588 software. 590 +----------------------+ 591 | SoftwareReference | 592 +----------------------+ 593 | xs:any | 594 | | 595 | ENUM spec-name | 596 | STRING ext-spec-name | 597 | ENUM dtype | 598 | STRING ext-dtype | 599 +----------------------+ 601 Figure 3: The SoftwareReference Class 603 The element content varies according to the value of the spec-name 604 attribute. It is defined in the data model as "xs:any" per 605 [W3C.SCHEMA]. 607 The attributes of the SoftwareReference class are: 609 spec-name 610 Required. ENUM. Identifies the format and semantics of the 611 element body of this class. Formal standards and specifications 612 can be referenced as well as a free-form text description with a 613 user-provided data type. These values are maintained in the 614 "SoftwareReference-spec-id" IANA registry per Section 10.2 615 1. custom. The element content is free-form and of the data type 616 specified by the dtype attribute. If this value is selected, 617 then the dtype attribute MUST be set. 619 2. cpe. The element content describes a Common Platform 620 Enumeration (CPE) entry per [NIST.CPE]. 622 3. swid. The element content describes a software identification 623 (SWID) tag per [ISO19770]. 625 4. ext-value. A value used to indicate that this attribute is 626 extended and the actual value is provided using the 627 corresponding ext-* attribute. See Section 5.1.1. 629 ext-spec-name 630 Optional. STRING. A means by which to extend the spec-name 631 attribute. See Section 5.1.1. 633 dtype 634 Optional. ENUM. The data type of the element content. The 635 permitted values for this attribute are shown below. The default 636 value is "string". These values are maintained in the 637 "SoftwareReference-dtype" IANA registry per Section 10.2. 639 1. bytes. The element content is of type HEXBIN. 641 2. integer. The element content is of type INTEGER. 643 3. real. The element content is of type REAL. 645 4. string. The element content is of type STRING. 647 5. xml. The element content is XML. See Section 5.2. 649 6. ext-value. A value used to indicate that this attribute is 650 extended and the actual value is provided using the 651 corresponding ext-* attribute. See Section 5.1.1. 653 ext-dtype 654 Optional. STRING. A means by which to extend the dtype 655 attribute. See Section 5.1.1. 657 2.16. Extension 659 Information not otherwise represented in the IODEF can be added using 660 the EXTENSION data type. This data type is a generic extension 661 mechanism. 663 The EXTENSION data type is implemented in the data model as the 664 "iodef:ExtensionType" type. 666 The data type of an EXTENSION is described by the dtype attribute. 667 For simple information, atomic data types (e.g., integers, strings) 668 are supported. Their semantics are further described by the meaning 669 and formatid attributes. Encapsulating XML documents conforming to 670 another schema is also supported. A detailed discussion of extending 671 the schema can be found in Section 5. Additional coordination may be 672 required to ensure that a recipient of a document using this type can 673 parse and process it. 675 +------------------------+ 676 | iodef:ExtensionType | 677 +------------------------+ 678 | xs:any | 679 | | 680 | STRING name | 681 | ENUM dtype | 682 | STRING ext-dtype | 683 | STRING meaning | 684 | STRING formatid | 685 | ENUM restriction | 686 | STRING ext-restriction | 687 | ID observable-id | 688 +------------------------+ 690 Figure 4: The iodef:ExtensionType Type 692 The element content of this type is the extension being added to the 693 data model. This content is defined in the data model as "xs:any" 694 per [W3C.SCHEMA]. 696 The attributes of the iodef:ExtensionType type are: 698 name 699 Optional. STRING. A free-form name of the field or data element. 701 dtype 702 Required. ENUM. The data type of the element content. The 703 default value is "string". These values are maintained in the 704 "ExtensionType-dtype" IANA registry per Section 10.2. 706 1. boolean. The element content is of type BOOLEAN. 708 2. byte. The element content is of type BYTE. 710 3. bytes. The element content is of type HEXBIN. 712 4. character. The element content is of type CHARACTER. 714 5. date-time. The element content is of type DATETIME. 716 6. ntpstamp. Same as date-time. 718 7. integer. The element content is of type INTEGER. 720 8. portlist. The element content is of type PORTLIST. 722 9. real. The element content is of type REAL. 724 10. string. The element content is of type STRING. 726 11. file. The element content is a base64 encoded binary file 727 encoded as a BYTE[] type. 729 12. path. The element content is a file-system path encoded as a 730 STRING type. 732 13. frame. The element content is a layer-2 frame encoded as a 733 HEXBIN type. 735 14. packet. The element content is a layer-3 packet encoded as a 736 HEXBIN type. 738 15. ipv4-packet. The element content is an IPv4 packet encoded 739 as a HEXBIN type. 741 16. ipv6-packet. The element content is an IPv6 packet encoded 742 as a HEXBIN type. 744 17. url. The element content is of type URL. 746 18. csv. The element content is a common separated value (CSV) 747 list per Section 2 of [RFC4180] encoded as a STRING type. 749 19. winreg. The element content is a Windows registry key 750 encoded as a STRING type. 752 20. xml. The element content is XML. See Section 5. 754 21. ext-value. A value used to indicate that this attribute is 755 extended and the actual value is provided using the 756 corresponding ext-* attribute. See Section 5.1.1. 758 ext-dtype 759 Optional. STRING. A means by which to extend the dtype 760 attribute. See Section 5.1.1. 762 meaning 763 Optional. STRING. A free-form text description of the element 764 content. 766 formatid 767 Optional. STRING. An identifier referencing the format or 768 semantics of the element content. 770 restriction 771 Optional. ENUM. See Section 3.3.1. 773 ext-restriction 774 Optional. STRING. A means by which to extend the restriction 775 attribute. See Section 5.1.1. 777 observable-id 778 Optional. ID. See Section 3.3.2. 780 3. The IODEF Information Model 782 The specifics of the IODEF information model are discussed in this 783 section. Each class and its relationships with the other classes is 784 described. When necessary, clarifications are made about translating 785 this information model to the schema in Section 8. 787 3.1. IODEF-Document Class 789 The IODEF-Document class is the top level class in the IODEF data 790 model. All IODEF documents are an instance of this class. 792 +--------------------------+ 793 | IODEF-Document | 794 +--------------------------+ 795 | STRING version |<>--{1..*}--[ Incident ] 796 | ENUM xml:lang |<>--{0..*}--[ AdditionalData ] 797 | STRING format-id | 798 | STRING private-enum-name | 799 | STRING private-enum-id | 800 +--------------------------+ 802 Figure 5: IODEF-Document Class 804 The aggregate classes of the IODEF-Document class are: 806 Incident 807 One or more. The information related to a single incident. See 808 Section 3.2. 810 AdditionalData 811 Zero or more. EXTENSION. Mechanism by which to extend the data 812 model. 814 The attributes of the IODEF-Document class are: 816 version 817 Required. STRING. The IODEF specification version number to 818 which this IODEF document conforms. The value of this attribute 819 MUST be "2.00" 821 xml:lang 822 Optional. ENUM. A language identifier per Section 2.12 of 823 [W3C.XML] whose values and form are described in [RFC5646]. The 824 interpretation of this code is described in Section 6. 826 format-id 827 Optional. STRING. A free-form string to convey processing 828 instructions to the recipient of the document. Its semantics must 829 be negotiated out-of-band. 831 private-enum-name 832 Optional. STRING. A globally unique identifier for the CSIRT 833 generating the document to deconflict private extensions used in 834 the document. The fully qualified domain name associated with the 835 CSIRT MUST be used as the identifier. See Section 5.3. 837 private-enum-id 838 Optional. STRING. An organizationally unique identifier for an 839 extension used in the document. If this attribute is set, the 840 private-enum-name MUST also be set. See Section 5.3. 842 3.2. Incident Class 844 The Incident class describes commonly exchanged information when 845 reporting or sharing derived analysis from security incidents. 847 +-------------------------+ 848 | Incident | 849 +-------------------------+ 850 | ENUM purpose |<>----------[ IncidentID ] 851 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 852 | ENUM status |<>--{0..*}--[ RelatedActivity ] 853 | STRING ext-status |<>--{0..1}--[ DetectTime ] 854 | ENUM xml:lang |<>--{0..1}--[ StartTime ] 855 | ENUM restriction |<>--{0..1}--[ EndTime ] 856 | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ] 857 | ID observable-id |<>--{0..1}--[ ReportTime ] 858 | |<>----------[ GenerationTime ] 859 | |<>--{0..*}--[ Description ] 860 | |<>--{0..*} [ Discovery ] 861 | |<>--{0..*}--[ Assessment ] 862 | |<>--{0..*}--[ Method ] 863 | |<>--{1..*}--[ Contact ] 864 | |<>--{0..*}--[ EventData ] 865 | |<>--{0..1}--[ IndicatorData ] 866 | |<>--{0..1}--[ History ] 867 | |<>--{0..*}--[ AdditionalData ] 868 +-------------------------+ 870 Figure 6: The Incident Class 872 The aggregate classes of the Incident class are: 874 IncidentID 875 One. An incident tracking number assigned to this incident by the 876 CSIRT that generated the IODEF document. See Section 3.4. 878 AlternativeID 879 Zero or one. The incident tracking numbers used by other CSIRTs 880 to refer to the incident described in the document. See 881 Section 3.5. 883 RelatedActivity 884 Zero or more. Related activity and attribution of this activity. 885 See Section 3.6. 887 DetectTime 888 Zero or one. DATETIME. The time the incident was first detected. 890 StartTime 891 Zero or one. DATETIME. The time the incident started. 893 EndTime 894 Zero or one. DATETIME. The time the incident ended. 896 RecoveryTime 897 Zero or one. DATETIME. The time the site recovered from the 898 incident. 900 ReportTime 901 Zero or one. DATETIME. The time the incident was reported. 903 GenerationTime 904 One. DATETIME. The time the content in this Incident class was 905 generated. 907 Description 908 Zero or more. ML_STRING. A free-form text description of the 909 incident. 911 Discovery 912 Zero or more. The means by which this incident was detected. See 913 Section 3.10. 915 Assessment 916 Zero or more. A characterization of the impact of the incident. 917 See Section 3.12. 919 Method 920 Zero or more. The techniques used by the threat actor in the 921 incident. See Section 3.11. 923 Contact 924 One or more. Contact information for the parties involved in the 925 incident. See Section 3.9. 927 EventData 928 Zero or more. Description of the events comprising the incident. 929 See Section 3.14. 931 IndicatorData 932 Zero or one. Indicators from the analysis of an incident. See 933 Section 3.28. 935 History 936 Zero or one. A log of significant events or actions that occurred 937 during the course of handling the incident. See Section 3.13. 939 AdditionalData 940 Zero or more. EXTENSION. Mechanism by which to extend the data 941 model. 943 The attributes of the Incident class are: 945 purpose 946 Required. ENUM. The purpose attribute represents describes the 947 rational for document the information in this class. It is 948 closely related to the Expectation class (Section 3.15). These 949 values are maintained in the "Incident-purpose" IANA registry per 950 Section 10.2. This attribute is defined as an enumerated list: 952 1. traceback. The Incident was sent for trace-back purposes. 954 2. mitigation. The Incident was sent to request aid in 955 mitigating the described activity. 957 3. reporting. The Incident was sent to comply with reporting 958 requirements. 960 4. watch. The Incident was sent to convey indicators that should 961 be monitored. 963 5. other. The Incident was sent for purposes specified in the 964 Expectation class. 966 6. ext-value. A value used to indicate that this attribute is 967 extended and the actual value is provided using the 968 corresponding ext-* attribute. See Section 5.1.1. 970 ext-purpose 971 Optional. STRING. A means by which to extend the purpose 972 attribute. See Section 5.1.1. 974 status 975 Optional. ENUM. The status attribute conveys the state in a 976 workflow where the incident is currently found. These values are 977 maintained in the "Incident-status" IANA registry per 978 Section 10.2. This attribute is defined as an enumerated list: 980 1. new. The Incident is newly reported and has not been 981 actioned. 983 2. in-progress. The contents of this Incident are under 984 investigation. 986 3. forwarded. The Incident has been forwarded to another party 987 for handling. 989 4. resolved. The investigation into the activity in this 990 Incident has concluded. 992 5. future. The described activity has not yet been detected. 994 6. ext-value. A value used to indicate that this attribute is 995 extended and the actual value is provided using the 996 corresponding ext-* attribute. See Section 5.1.1. 998 ext-status 999 Optional. STRING. A means by which to extend the status 1000 attribute. See Section 5.1.1. 1002 xml:lang 1003 Optional. ENUM. A language identifier per Section 2.12 of 1004 [W3C.XML] whose values and form are described in [RFC5646]. The 1005 interpretation of this code is described in Section 6. 1007 restriction 1008 Optional. ENUM. See Section 3.3.1. The default value is 1009 "private". 1011 ext-restriction 1012 Optional. STRING. A means by which to extend the restriction 1013 attribute. See Section 5.1.1. 1015 observable-id 1016 Optional. ID. See Section 3.3.2. 1018 3.3. Common Attributes 1020 There are a number of recurring attributes used in the information 1021 model. They are documented in this section. 1023 3.3.1. restriction Attribute 1025 The restriction attribute indicates the disclosure guidelines to 1026 which the sender expects the recipient to adhere for the information 1027 represented in this class and its children. This guideline provides 1028 no security since there are no technical means to ensure that the 1029 recipient of the document handles the information as the sender 1030 requested. 1032 The value of this attribute is logically inherited by the children of 1033 this class. That is to say, the disclosure rules applied to this 1034 class, also apply to its children. 1036 It is possible to set a granular disclosure policy, since all of the 1037 high-level classes (i.e., children of the Incident class) have a 1038 restriction attribute. Therefore, a child can override the 1039 guidelines of a parent class, be it to restrict or relax the 1040 disclosure rules (e.g., a child has a weaker policy than an ancestor; 1041 or an ancestor has a weak policy, and the children selectively apply 1042 more rigid controls). The implicit value of the restriction 1043 attribute for a class that did not specify one can be found in the 1044 closest ancestor that did specify a value. 1046 This attribute is defined as an enumerated value with a default value 1047 of "private". Note that the default value of the restriction 1048 attribute is only defined in the context of the Incident class. In 1049 other classes where this attribute is used, no default is specified. 1051 These values are maintained in the "Restriction" IANA registry per 1052 Section 10.2. 1054 1. public. The information can be freely distributed without 1055 restriction. 1057 2. partner. The information may be shared within a closed 1058 community of peers, partners, or affected parties, but cannot be 1059 openly published. 1061 3. need-to-know. The information may be shared only within the 1062 organization with individuals that have a need to know. 1064 4. private. The information may not be shared. 1066 5. default. The information can be shared according to an 1067 information disclosure policy pre-arranged by the communicating 1068 parties. 1070 6. white. Same as 'public'. 1072 7. green. Same as 'partner'. 1074 8. amber. Same as 'need-to-know'. 1076 9. red. Same as 'private'. 1078 10. ext-value. A value used to indicate that this attribute is 1079 extended and the actual value is provided using the 1080 corresponding ext-* attribute. See Section 5.1.1. 1082 3.3.2. observable-id Attribute 1084 The observable-id attribute tags information in the document as an 1085 observable so that it can be referenced later in the description of 1086 an indicator. The value of this attribute is a unique identifier in 1087 the scope of the document. It is used by the ObservableReference 1088 class to enumerate observables when defining an indicator with the 1089 IndicatorData class. 1091 3.4. IncidentID Class 1093 The IncidentID class represents a tracking number that is unique in 1094 the context of the CSIRT. It serves as an identifier for an incident 1095 or a document identifier when sharing indicators. This identifier 1096 would serve as an index into a CSIRT's incident handling or knowledge 1097 management system. 1099 The combination of the name attribute and the string in the element 1100 content MUST be a globally unique identifier describing the activity. 1101 Documents generated by a given CSIRT MUST NOT reuse the same value 1102 unless they are referencing the same incident. 1104 +------------------------+ 1105 | IncidentID | 1106 +------------------------+ 1107 | STRING | 1108 | | 1109 | STRING name | 1110 | STRING instance | 1111 | ENUM restriction | 1112 | STRING ext-restriction | 1113 +------------------------+ 1115 Figure 7: The IncidentID Class 1117 The content of the class is an incident identifier of type STRING. 1119 The attributes of the IncidentID class are: 1121 name 1122 Required. STRING. An identifier describing the CSIRT that 1123 created the document. In order to have a globally unique CSIRT 1124 name, the fully qualified domain name associated with the CSIRT 1125 MUST be used. 1127 instance 1128 Optional. STRING. An identifier referencing a subset of the 1129 named incident. 1131 restriction 1132 Optional. ENUM. See Section 3.3.1. 1134 ext-restriction 1135 Optional. STRING. A means by which to extend the restriction 1136 attribute. See Section 5.1.1. 1138 3.5. AlternativeID Class 1140 The AlternativeID class lists the tracking numbers used by CSIRTs, 1141 other than the one generating the document, to refer to the identical 1142 activity described in the IODEF document. A tracking number listed 1143 as an AlternativeID references the same incident detected by another 1144 CSIRT. The tracking numbers of the CSIRT that generated the IODEF 1145 document must never be considered an AlternativeID. 1147 +------------------------+ 1148 | AlternativeID | 1149 +------------------------+ 1150 | ENUM restriction |<>--{1..*}--[ IncidentID ] 1151 | STRING ext-restriction | 1152 +------------------------+ 1154 Figure 8: The AlternativeID Class 1156 The aggregate class of the AlternativeID class is: 1158 IncidentID 1159 One or more. The tracking number of another CSIRT. See 1160 Section 3.4. 1162 The attributes of the AlternativeID class are: 1164 restriction 1165 Optional. ENUM. See Section 3.3.1. 1167 ext-restriction 1168 Optional. STRING. A means by which to extend the restriction 1169 attribute. See Section 5.1.1. 1171 3.6. RelatedActivity Class 1173 The RelatedActivity class relates the information described in the 1174 rest of the document to previously observed incidents or activity; 1175 and allows attribution to a specific actor or campaign. 1177 +------------------------+ 1178 | RelatedActivity | 1179 +------------------------+ 1180 | ENUM restriction |<>--{0..*}--[ IncidentID ] 1181 | STRING ext-restriction |<>--{0..*}--[ URL ] 1182 | |<>--{0..*}--[ ThreatActor ] 1183 | |<>--{0..*}--[ Campaign ] 1184 | |<>--{0..*}--[ IndicatorID ] 1185 | |<>--{0..1}--[ Confidence ] 1186 | |<>--{0..*}--[ Description ] 1187 | |<>--{0..*}--[ AdditionalData ] 1188 +------------------------+ 1190 Figure 9: RelatedActivity Class 1192 The aggregate classes of the RelatedActivity class are: 1194 IncidentID 1195 Zero or more. The tracking number of a related incident. See 1196 Section 3.4. 1198 URL 1199 Zero or more. URL. A URL to activity related to this incident. 1201 ThreatActor 1202 Zero or more. The threat actor to whom the incident activity is 1203 attributed. See Section 3.7. 1205 Campaign 1206 Zero or more. The campaign of a given threat actor to whom the 1207 described activity is attributed. See Section 3.8. 1209 IndicatorID 1210 Zero or more. A reference to a related indicator. See 1211 Section 3.4. 1213 Confidence 1214 Zero or one. An estimate of the confidence in attributing this 1215 RelatedActivity to the events described in the document. See 1216 Section 3.12.5. 1218 Description 1219 Zero or more. ML_STRING. A description of how these 1220 relationships were derived. 1222 AdditionalData 1223 Zero or more. EXTENSION. A mechanism by which to extend the data 1224 model. 1226 The RelatedActivity class MUST have at least one instance of any of 1227 the following child classes: IncidentID, URL, ThreatActor, Campaign, 1228 Description or AdditionalData. 1230 The attributes of the RelatedActivity class are: 1232 restriction 1233 Optional. ENUM. See Section 3.3.1. 1235 ext-restriction 1236 Optional. STRING. A means by which to extend the restriction 1237 attribute. See Section 5.1.1. 1239 3.7. ThreatActor Class 1241 The ThreatActor class describes a threat actor. 1243 +------------------------+ 1244 | ThreatActor | 1245 +------------------------+ 1246 | ENUM restriction |<>--{0..*}--[ ThreatActorID ] 1247 | STRING ext-restriction |<>--{0..*}--[ URL ] 1248 | |<>--{0..*}--[ Description ] 1249 | |<>--{0..*}--[ AdditionalData ] 1250 +------------------------+ 1252 Figure 10: ThreatActor Class 1254 The aggregate classes of the ThreatActor class are: 1256 ThreatActorID 1257 Zero or more. STRING. An identifier for the threat actor. 1259 URL 1260 Zero or more. URL. A URL to a reference describing the threat 1261 actor. 1263 Description 1264 Zero or more. ML_STRING. A description of the threat actor. 1266 AdditionalData 1267 Zero or more. EXTENSION. A mechanism by which to extend the data 1268 model. 1270 The ThreatActor class MUST have at least one instance of a child 1271 class. 1273 The attributes of the ThreatActor class are: 1275 restriction 1276 Optional. ENUM. See Section 3.3.1. 1278 ext-restriction 1279 Optional. STRING. A means by which to extend the restriction 1280 attribute. See Section 5.1.1. 1282 3.8. Campaign Class 1284 The Campaign class describes a campaign of attacks by a threat actor. 1286 +------------------------+ 1287 | Campaign | 1288 +------------------------+ 1289 | ENUM restriction |<>--{0..*}--[ CampaignID ] 1290 | STRING ext-restriction |<>--{0..*}--[ URL ] 1291 | |<>--{0..*}--[ Description ] 1292 | |<>--{0..*}--[ AdditionalData ] 1293 +------------------------+ 1295 Figure 11: Campaign Class 1297 The aggregate classes of the Campaign class are: 1299 CampaignID 1300 Zero or more. STRING. An identifier for the campaign. 1302 URL 1303 Zero or more. URL. A URL to a reference describing the campaign. 1305 Description 1306 Zero or more. ML_STRING. A description of the campaign. 1308 AdditionalData 1309 Zero or more. EXTENSION. A mechanism by which to extend the data 1310 model. 1312 The Campaign class MUST have at least one instance of a child class. 1314 The attributes of the Campaign class are: 1316 restriction 1317 Optional. ENUM. See Section 3.3.1. 1319 ext-restriction 1320 Optional. STRING. A means by which to extend the restriction 1321 attribute. See Section 5.1.1. 1323 3.9. Contact Class 1325 The Contact class describes contact information for organizations and 1326 personnel involved in the incident. This class allows for the naming 1327 of the involved party, specifying contact information for them, and 1328 identifying their role in the incident. 1330 People and organizations are treated interchangeably as contacts; one 1331 can be associated with the other using the recursive definition of 1332 the class (the Contact class is aggregated into the Contact class). 1333 The 'type' attribute disambiguates the type of contact information 1334 being provided. 1336 The recursive definition of Contact provides a way to relate 1337 information without requiring the explicit use of identifiers or 1338 duplication of data. A complete point of contact is derived by a 1339 particular traversal from the root Contact class to the leaf Contact 1340 class. Each child Contact class logically inherits contact 1341 information from its ancestors. 1343 +------------------------+ 1344 | Contact | 1345 +------------------------+ 1346 | ENUM role |<>--{0..*}--[ ContactName ] 1347 | STRING ext-role |<>--{0..*}--[ ContactTitle ] 1348 | ENUM type |<>--{0..*}--[ Description ] 1349 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1350 | ENUM restriction |<>--{0..*}--[ PostalAddress ] 1351 | STRING ext-restriction |<>--{0..*}--[ Email ] 1352 | |<>--{0..*}--[ Telephone ] 1353 | |<>--{0..1}--[ Timezone ] 1354 | |<>--{0..*}--[ Contact ] 1355 | |<>--{0..*}--[ AdditionalData ] 1356 +------------------------+ 1358 Figure 12: The Contact Class 1360 The aggregate classes of the Contact class are: 1362 ContactName 1363 Zero or more. ML_STRING. The name of the contact. The contact 1364 may either be an organization or a person. The type attribute 1365 disambiguates the semantics. 1367 ContactTitle 1368 Zero or more. ML_STRING. The title for the individual named in 1369 the ContactName. 1371 Description 1372 Zero or more. ML_STRING. A free-form text description of the 1373 contact. 1375 RegistryHandle 1376 Zero or more. A handle name into the registry of the contact. 1377 See Section 3.9.1. 1379 PostalAddress 1380 Zero or more. The postal address of the contact. See 1381 Section 3.9.2. 1383 Email 1384 Zero or more. The email address of the contact. See 1385 Section 3.9.3. 1387 Telephone 1388 Zero or more. The telephone number of the contact. See 1389 Section 3.9.4. 1391 Timezone 1392 Zero or one. TIMEZONE. The timezone in which the contact 1393 resides. 1395 Contact 1396 Zero or more. A recursive definition of the Contact class. This 1397 definition can be used to group common data pertaining to multiple 1398 points of contact and is especially useful when listing multiple 1399 contacts at the same organization. 1401 AdditionalData 1402 Zero or more. EXTENSION. A mechanism by which to extend the data 1403 model. 1405 At least one of the aggregate classes MUST be present in an instance 1406 of the Contact class. 1408 The attributes of the Contact class are: 1410 role 1411 Required. ENUM. Indicates the role the contact fulfills. These 1412 values are maintained in the "Contact-role" IANA registry per 1413 Section 10.2. 1415 1. creator. The entity that generate the document. 1417 2. reporter. The entity that reported the information. 1419 3. admin. An administrative contact or business owner for an 1420 asset or organization. 1422 4. tech. An entity responsible for the day-to-day management of 1423 technical issues for an asset or organization. 1425 5. provider. An external hosting provider for an asset. 1427 6. zone. An entity with authority over a DNS zone. 1429 7. user. An end-user of an asset or part of an organization. 1431 8. billing. An entity responsible for billing issues for an 1432 asset or organization. 1434 9. legal. An entity responsible for legal issue related to an 1435 asset or organization. 1437 10. irt. An entity responsible for handling security issues for 1438 an asset or organization. 1440 11. abuse. An entity responsible for handling abuse originating 1441 from an asset or organization. 1443 12. cc. An entity that is to be kept informed about the events 1444 related to an asset or organization. 1446 13. cc-irt. A CSIRT or information sharing organization 1447 coordinating activity related to an asset or organization. 1449 14. leo. A law enforcement organization supporting the 1450 investigation of activity affecting an asset or organization. 1452 15. vendor. The vendor that produces an asset. 1454 16. vendor-support. A vendor that provides services. 1456 17. victim. A victim in the incident. 1458 18. victim-notified. A victim in the incident who has been 1459 notified. 1461 19. ext-value. A value used to indicate that this attribute is 1462 extended and the actual value is provided using the 1463 corresponding ext-* attribute. See Section 5.1.1. 1465 ext-role 1466 Optional. STRING. A means by which to extend the role attribute. 1467 See Section 5.1.1. 1469 type 1470 Required. ENUM. Indicates the type of contact being described. 1471 This attribute is defined as an enumerated list. These values are 1472 maintained in the "Contact-type" IANA registry per Section 10.2. 1474 1. person. The information for this contact references an 1475 individual. 1477 2. organization. The information for this contact references an 1478 organization. 1480 3. ext-value. A value used to indicate that this attribute is 1481 extended and the actual value is provided using the 1482 corresponding ext-* attribute. See Section 5.1.1. 1484 ext-type 1485 Optional. STRING. A means by which to extend the type attribute. 1486 See Section 5.1.1. 1488 restriction 1489 Optional. ENUM. See Section 3.3.1. 1491 ext-restriction 1492 Optional. STRING. A means by which to extend the restriction 1493 attribute. See Section 5.1.1. 1495 3.9.1. RegistryHandle Class 1497 The RegistryHandle class represents a handle into an Internet 1498 registry or community-specific database. 1500 +---------------------+ 1501 | RegistryHandle | 1502 +---------------------+ 1503 | STRING | 1504 | | 1505 | ENUM registry | 1506 | STRING ext-registry | 1507 +---------------------+ 1509 Figure 13: The RegistryHandle Class 1511 The content of the class is a handle into a registry of type STRING. 1513 The attributes of the RegistryHandle class are: 1515 registry 1516 Required. ENUM. The database to which the handle belongs. These 1517 values are maintained in the "RegistryHandle-registry" IANA 1518 registry per Section 10.2. The possible values are: 1520 1. internic. Internet Network Information Center 1522 2. apnic. Asia Pacific Network Information Center 1524 3. arin. American Registry for Internet Numbers 1526 4. lacnic. Latin-American and Caribbean IP Address Registry 1528 5. ripe. Reseaux IP Europeens 1530 6. afrinic. African Internet Numbers Registry 1532 7. local. A database local to the CSIRT 1534 8. ext-value. A value used to indicate that this attribute is 1535 extended and the actual value is provided using the 1536 corresponding ext-* attribute. See Section 5.1.1. 1538 ext-registry 1539 Optional. STRING. A means by which to extend the registry 1540 attribute. See Section 5.1.1. 1542 3.9.2. PostalAddress Class 1544 The PostalAddress class specifies an postal address and associated 1545 annotation. 1547 +--------------------+ 1548 | PostalAddress | 1549 +--------------------+ 1550 | ENUM type |<>----------[ PAddress ] 1551 | STRING ext-type |<>--{0..*}--[ Description ] 1552 +--------------------+ 1554 Figure 14: The PostalAddress Class 1556 The aggregate classes of the PostalAddress class are: 1558 PAddress 1559 One. POSTAL. A postal address. 1561 Description 1562 Zero or more. ML_STRING. A free-form text description of the 1563 address. 1565 The attributes of the PostalAddress class are: 1567 type 1568 Optional. ENUM. Categorizes the type of address described in the 1569 PAddress class. These values are maintained in the 1570 "PostalAddress-type" IANA registry per Section 10.2. 1572 1. street. An address describing a physical location. 1574 2. mailing. An address to which correspondence should be sent. 1576 3. ext-value. A value used to indicate that this attribute is 1577 extended and the actual value is provided using the 1578 corresponding ext-* attribute. See Section 5.1.1. 1580 ext-type 1581 Optional. STRING. A means by which to extend the type attribute. 1582 See Section 5.1.1. 1584 3.9.3. Email Class 1586 The Email class specifies an email address and associated annotation. 1588 +--------------------+ 1589 | Email | 1590 +--------------------+ 1591 | ENUM type |<>----------[ EmailTo ] 1592 | STRING ext-type |<>--{0..*}--[ Description ] 1593 +--------------------+ 1595 Figure 15: The Email Class 1597 The aggregate classes of the Email class are: 1599 EmailTo 1600 One. EMAIL. An email address. 1602 Description 1603 Zero or more. ML_STRING. A free-form text description of the 1604 email address. 1606 The attributes of the Email class are: 1608 type 1609 Optional. ENUM. Categorizes the type of email address described 1610 in the EmailTo class. These values are maintained in the "Email- 1611 type" IANA registry per Section 10.2. 1613 1. direct. A email address of an individual. 1615 2. hotline. A email address regularly monitored for operational 1616 purposes. 1618 3. ext-value. A value used to indicate that this attribute is 1619 extended and the actual value is provided using the 1620 corresponding ext-* attribute. See Section 5.1.1. 1622 ext-type 1623 Optional. STRING. A means by which to extend the type attribute. 1624 See Section 5.1.1. 1626 3.9.4. Telephone Class 1628 The Telephone class describes a telephone number and associated 1629 annotation. 1631 +--------------------+ 1632 | Telephone | 1633 +--------------------+ 1634 | ENUM type |<>----------[ TelephoneNumber ] 1635 | STRING ext-type |<>--{0..*}--[ Description ] 1636 +--------------------+ 1638 Figure 16: The Telephone Class 1640 The aggregate classes of the Telephone class are: 1642 TelephoneNumber 1643 One. PHONE. A telephone number. 1645 Description 1646 Zero or more. ML_STRING. A free-form text description of the 1647 phone number. 1649 The attributes of the Telephone class are: 1651 type 1652 Optional. ENUM. Categorizes the type of telephone number 1653 described in the TelephoneNumber class. These values are 1654 maintained in the "Telephone-type" IANA registry per Section 10.2. 1656 1. wired. A number of a wire-line (land-line) phone. 1658 2. mobile. A number of a mobile phone. 1660 3. fax. A number to a fax machine. 1662 4. hotline. A number to a regularly monitored operational 1663 hotline. 1665 5. ext-value. A value used to indicate that this attribute is 1666 extended and the actual value is provided using the 1667 corresponding ext-* attribute. See Section 5.1.1. 1669 ext-type 1670 Optional. STRING. A means by which to extend the type attribute. 1671 See Section 5.1.1. 1673 3.10. Discovery Class 1675 The Discovery class describes how an incident was detected. 1677 +------------------------+ 1678 | Discovery | 1679 +------------------------+ 1680 | ENUM source |<>--{0..*}--[ Description ] 1681 | STRING ext-source |<>--{0..*}--[ Contact ] 1682 | ENUM restriction |<>--{0..*}--[ DetectionPattern ] 1683 | STRING ext-restriction | 1684 +------------------------+ 1686 Figure 17: The Discovery Class 1688 The aggregate classes of the Discovery class are: 1690 Description 1691 Zero or more. ML_STRING. A free-form text description of how 1692 this incident was detected. 1694 Contact 1695 Zero or more. Contact information for the party that discovered 1696 the incident. See Section 3.9. 1698 DetectionPattern 1699 Zero or more. Describes an application-specific configuration 1700 that detected the incident. See Section 3.10.1. 1702 The attributes of the Discovery class are: 1704 source 1705 Optional. ENUM. Categorizes the techniques used to discover the 1706 incident. These values are partially derived from Table 3-1 of 1707 [NIST800.61rev2]. These values are maintained in the "Discovery- 1708 source" IANA registry per Section 10.2. 1710 1. nidps. Network Intrusion Detection or Prevention system. 1712 2. hips. Host-based Intrusion Prevention system. 1714 3. siem. Security Information and Event Management System. 1716 4. av. Antivirus or and antispam software. 1718 5. third-party-monitoring. Contracted third-party monitoring 1719 service. 1721 6. incident. The activity was discovered while investigating an 1722 unrelated incident. 1724 7. os-log. Operating system logs. 1726 8. application-log. Application logs. 1728 9. device-log. Network device logs. 1730 10. network-flow. Network flow analysis. 1732 11. passive-dns. Passive DNS analysis. 1734 12. investigation. Manual investigation initiated based on 1735 notification of a new vulnerability or exploit. 1737 13. audit. Security audit. 1739 14. internal-notification. A party within the organization 1740 reported the activity 1742 15. external-notification. A party outside of the organization 1743 reported the activity. 1745 16. leo. A law enforcement organization notified the victim 1746 organization. 1748 17. partner. A customer or business partner reported the 1749 activity to the victim organization. 1751 18. actor. The threat actor directly or indirectly reported this 1752 activity to the victim organization. 1754 19. unknown. Unknown detection approach. 1756 20. ext-value. A value used to indicate that this attribute is 1757 extended and the actual value is provided using the 1758 corresponding ext-* attribute. See Section 5.1.1. 1760 ext-source 1761 Optional. STRING. A means by which to extend the source 1762 attribute. See Section 5.1.1. 1764 restriction 1765 Optional. ENUM. See Section 3.3.1. 1767 ext-restriction 1768 Optional. STRING. A means by which to extend the restriction 1769 attribute. See Section 5.1.1. 1771 3.10.1. DetectionPattern Class 1773 The DetectionPattern class describes a configuration or signature 1774 that can be used by an IDS/IPS, SIEM, anti-virus, end-point 1775 protection, network analysis, malware analysis, or host forensics 1776 tool to identify a particular phenomenon. This class requires the 1777 identification of the target application and allows the configuration 1778 to be described in either free-form or machine readable form. 1780 +------------------------+ 1781 | DetectionPattern | 1782 +------------------------+ 1783 | ENUM restriction |<>----------[ Application ] 1784 | STRING ext-restriction |<>--{0..*}--[ Description ] 1785 | |<>--{0..*}--[ DetectionConfiguration ] 1786 +------------------------+ 1788 Figure 18: The DetectionPattern Class 1790 The aggregate classes of the DetectionPattern class are: 1792 Application 1793 One. SOFTWARE. The application for which the 1794 DetectionConfiguration or Description is being provided. 1796 Description 1797 Zero or more. ML_STRING. A free-form text description of how to 1798 use the Application or provided DetectionConfiguration. 1800 DetectionConfiguration 1801 Zero or more. STRING. A machine consumable configuration to find 1802 a pattern of activity. 1804 Either an instance of the Description or DetectionConfiguration class 1805 MUST be present. 1807 The attributes of the DetectionPattern class are: 1809 restriction 1810 Optional. ENUM. See Section 3.3.1. 1812 ext-restriction 1813 Optional. STRING. A means by which to extend the restriction 1814 attribute. See Section 5.1.1. 1816 3.11. Method Class 1818 The Method class describes the tactics, techniques, procedures or 1819 weakness used by the threat actor in an incident. This class 1820 consists of both a list of references describing the attack methods 1821 and weaknesses and a free-form text description. 1823 +------------------------+ 1824 | Method | 1825 +------------------------+ 1826 | ENUM restriction |<>--{0..*}--[ Reference ] 1827 | STRING ext-restriction |<>--{0..*}--[ Description ] 1828 | |<>--{0..*}--[ sci:AttackPattern ] 1829 | |<>--{0..*}--[ sci:Vulnerability ] 1830 | |<>--{0..*}--[ sci:Weakness ] 1831 | |<>--{0..*}--[ AdditionalData ] 1832 +------------------------+ 1834 Figure 19: The Method Class 1836 The aggregate classes of the Method class are: 1838 Reference 1839 Zero or more. A reference to a vulnerability, malware sample, 1840 advisory, or analysis of an attack technique. See Section 3.11.1. 1842 Description 1843 Zero or more. ML_STRING. A free-form text description of 1844 techniques, tactics, or procedures used by the threat actor. 1846 sci:AttackPattern 1847 Zero or more. A reference to an pattern of attack or exploitation 1848 per [RFC-SCI] 1850 sci:Vulnerability 1851 Zero or more. A reference to a vulnerability per [RFC-SCI] 1853 sci:Weakness 1854 Zero or more. A reference to the exploited weakness per [RFC-SCI] 1856 AdditionalData 1857 Zero or more. EXTENSION. A mechanism by which to extend the data 1858 model. 1860 An instance of one of these child MUST be present. 1862 The attributes of the Method class are: 1864 restriction 1865 Optional. ENUM. See Section 3.3.1. 1867 ext-restriction 1868 Optional. STRING. A means by which to extend the restriction 1869 attribute. See Section 5.1.1. 1871 3.11.1. Reference Class 1873 The Reference class is an external reference to relevant information 1874 such a vulnerability, IDS alert, malware sample, advisory, or attack 1875 technique. 1877 +-------------------------+ 1878 | Reference | 1879 +-------------------------+ 1880 | ID observable-id |<>--{0..1}--[ enum:ReferenceName ] 1881 | |<>--{0..*}--[ URL ] 1882 | |<>--{0..*}--[ Description ] 1883 +-------------------------+ 1885 Figure 20: The Reference Class 1887 The aggregate classes of the Reference class are: 1889 enum:ReferenceName 1890 Zero or one. Reference identifier per [RFC-ENUM]. 1892 URL 1893 Zero or more. URL. A URL to a reference. 1895 Description 1896 Zero or more. ML_STRING. A free-form text description of this 1897 reference. 1899 At least one of these classes MUST be present. 1901 The attribute of the Reference class is: 1903 observable-id 1904 Optional. ID. See Section 3.3.2. 1906 3.12. Assessment Class 1908 The Assessment class describes the repercussions of the incident to 1909 the victim. 1911 +-------------------------+ 1912 | Assessment | 1913 +-------------------------+ 1914 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ] 1915 | ENUM restriction |<>--{0..*}--[ SystemImpact ] 1916 | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ] 1917 | ID observable-id |<>--{0..*}--[ TimeImpact ] 1918 | |<>--{0..*}--[ MonetaryImpact ] 1919 | |<>--{0..*}--[ IntendedImpact ] 1920 | |<>--{0..*}--[ Counter ] 1921 | |<>--{0..*}--[ MitigatingFactor ] 1922 | |<>--{0..*}--[ Cause ] 1923 | |<>--{0..1}--[ Confidence ] 1924 | |<>--{0..*}--[ AdditionalData ] 1925 +-------------------------+ 1927 Figure 21: Assessment Class 1929 The aggregate classes of the Assessment class are: 1931 IncidentCategory 1932 Zero or more. ML_STRING. A free-form text description 1933 categorizing the type of Incident. 1935 SystemImpact 1936 Zero or more. A technical characterization of the impact of the 1937 incident activity on the victim's enterprise. See Section 3.12.1. 1939 BusinessImpact 1940 Zero or more. Impact of the incident activity on the business 1941 functions of the victim organization. See Section 3.12.2. 1943 TimeImpact 1944 Zero or more. A characterization of the victim organization due 1945 to the incident activity as a function of time. See 1946 Section 3.12.3. 1948 MonetaryImpact 1949 Zero or more. The financial loss due to the incident activity. 1950 See Section 3.12.4. 1952 IntendedImpact 1953 Zero or more. The intended outcome to the victim sought by the 1954 threat actor. Defined identically to the BusinessImpact defined 1955 in Section 3.12.2, but describes intent rather than the realized 1956 impact. 1958 Counter 1959 Zero or more. A counter with which to summarize the magnitude of 1960 the activity. See Section 3.18.3. 1962 MitigatingFactor 1963 Zero or more. ML_STRING. A description of a mitigating factor 1964 relative to the impact on the victim organization. 1966 Cause 1967 Zero or more. ML_STRING. A description of an underlying cause of 1968 the impact. 1970 Confidence 1971 Zero or one. An estimate of confidence in the impact assessment. 1972 See Section 3.12.5. 1974 AdditionalData 1975 Zero or more. EXTENSION. A mechanism by which to extend the data 1976 model. 1978 A least one instance of the possible five impact classes (i.e., 1979 SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or 1980 IntendedImpact) MUST be present. 1982 The attributes of the Assessment class are: 1984 occurrence 1985 Optional. ENUM. Specifies whether the assessment is describing 1986 actual or potential outcomes. 1988 1. actual. This assessment describes activity that has occurred. 1990 2. potential. This assessment describes potential activity that 1991 might occur. 1993 restriction 1994 Optional. ENUM. See Section 3.3.1. 1996 ext-restriction 1997 Optional. STRING. A means by which to extend the restriction 1998 attribute. See Section 5.1.1. 2000 observable-id 2001 Optional. ID. See Section 3.3.2. 2003 3.12.1. SystemImpact Class 2005 The SystemImpact class describes the technical impact of the incident 2006 to the systems on the network. 2008 +-----------------------+ 2009 | SystemImpact | 2010 +-----------------------+ 2011 | ENUM severity |<>--{0..*}--[ Description ] 2012 | ENUM completion | 2013 | ENUM type | 2014 | STRING ext-type | 2015 +-----------------------+ 2017 Figure 22: SystemImpact Class 2019 The aggregate class of the SystemImpact class is: 2021 Description 2022 Zero or more. ML_STRING. A free-form text description of the 2023 impact to the system. 2025 The attributes of the SystemImpact class are: 2027 severity 2028 Optional. ENUM. An estimate of the relative severity of the 2029 activity. The permitted values are shown below. There is no 2030 default value. 2032 1. low. Low severity 2034 2. medium. Medium severity 2036 3. high. High severity 2038 completion 2039 Optional. ENUM. An indication whether the described activity was 2040 successful. The permitted values are shown below. There is no 2041 default value. 2043 1. failed. The attempted activity was not successful. 2045 2. succeeded. The attempted activity succeeded. 2047 type 2048 Required. ENUM. Classifies the impact. The permitted values are 2049 shown below. The default value is "unknown". These values are 2050 maintained in the "SystemImpact-type" IANA registry per 2051 Section 10.2. 2053 1. takeover-account. Control was taken of a given account. 2055 2. takeover-service. Control was taken of a given service. 2057 3. takeover-system. Control was taken of a given system. 2059 4. cps-manipulation. A cyber physical system was manipulated. 2061 5. cps-damage. A cyber physical system was damaged. 2063 6. availability-data. Access to particular data was degraded or 2064 denied. 2066 7. availability-account. Access to an account was degraded or 2067 denied. 2069 8. availability-service. Access to a service was degraded or 2070 denied. 2072 9. availability-system. Access to a system was degraded or 2073 denied. 2075 10. damaged-system. Hardware on a system was irreparably 2076 damaged. 2078 11. damaged-data. Data on a system was deleted. 2080 12. breach-proprietary. Sensitive or proprietary information was 2081 accessed or exfiltrated. 2083 13. breach-privacy. Personally identifiable information was 2084 accessed or exfiltrated. 2086 14. breach-credential. Credential information was accessed or 2087 exfiltrated. 2089 15. breach-configuration. System configuration or data inventory 2090 was access or exfiltrated. 2092 16. integrity-data. Data on the system was modified. 2094 17. integrity-configuration. Application or system configuration 2095 was modified. 2097 18. integrity-hardware. Firmware of a hardware component was 2098 modified. 2100 19. traffic-redirection. Network traffic on the system was 2101 redirected 2103 20. monitoring-traffic. Network traffic emerging from a host or 2104 enclave was monitored. 2106 21. monitoring-host. System activity (e.g., running processes, 2107 keystrokes) were monitored. 2109 22. policy. Activity violated the system owner's acceptable use 2110 policy. 2112 23. unknown. The impact is unknown. 2114 24. ext-value. A value used to indicate that this attribute is 2115 extended and the actual value is provided using the 2116 corresponding ext-* attribute. See Section 5.1.1. 2118 ext-type 2119 Optional. STRING. A means by which to extend the type attribute. 2120 See Section 5.1.1. 2122 3.12.2. BusinessImpact Class 2124 The BusinessImpact class describes and characterizes the degree to 2125 which the function of the organization was impacted by the Incident. 2127 +-------------------------+ 2128 | BusinessImpact | 2129 +-------------------------+ 2130 | ENUM severity |<>--{0..*}--[ Description ] 2131 | STRING ext-severity | 2132 | ENUM type | 2133 | STRING ext-type | 2134 +-------------------------+ 2136 Figure 23: BusinessImpact Class 2138 The aggregate class of the BusinessImpact class is: 2140 Description 2141 Zero or more. ML_STRING. A free-form text description of the 2142 impact to the organization. 2144 The attributes of the BusinessImpact class are: 2146 severity 2147 Optional. ENUM. Characterizes the severity of the incident on 2148 business functions. The permitted values are shown below. They 2149 were derived from Table 3-2 of [NIST800.61rev2]. The default 2150 value is "unknown". These values are maintained in the 2151 "BusinessImpact-severity" IANA registry per Section 10.2. 2153 1. none. No effect to the organization's ability to provide all 2154 services to all users. 2156 2. low. Minimal effect as the organization can still provide all 2157 critical services to all users but has lost efficiency. 2159 3. medium. The organization has lost the ability to provide a 2160 critical service to a subset of system users. 2162 4. high. The organization is no longer able to provide some 2163 critical services to any users. 2165 5. unknown. The impact is not known. 2167 6. ext-value. A value used to indicate that this attribute is 2168 extended and the actual value is provided using the 2169 corresponding ext-* attribute. See Section 5.1.1. 2171 ext-severity 2172 Optional. STRING. A means by which to extend the severity 2173 attribute. See Section 5.1.1. 2175 type 2176 Required. ENUM. Characterizes the effect this incident had on 2177 the business. The permitted values are shown below. The default 2178 value is "unknown". These values are maintained in the 2179 "BusinessImpact-type" IANA registry per Section 10.2. 2181 1. breach-proprietary. Sensitive or proprietary information was 2182 accessed or exfiltrated. 2184 2. breach-privacy. Personally identifiable information was 2185 accessed or exfiltrated. 2187 3. breach-credential. Credential information was accessed or 2188 exfiltrated. 2190 4. loss-of-integrity. Sensitive or proprietary information was 2191 changed or deleted. 2193 5. loss-of-service. Service delivery was disrupted. 2195 6. theft-financial. Money was stolen. 2197 7. theft-service. Services were misappropriated. 2199 8. degraded-reputation. The reputation of the organization's 2200 brand was diminished. 2202 9. asset-damage. A cyber-physical system was damaged. 2204 10. asset-manipulation. A cyber-physical system was manipulated. 2206 11. legal. The incident resulted in legal or regulatory action. 2208 12. extortion. The incident resulted in actors extorting the 2209 victim organization. 2211 13. unknown. The impact is unknown. 2213 14. ext-value. A value used to indicate that this attribute is 2214 extended and the actual value is provided using the 2215 corresponding ext-* attribute. See Section 5.1.1. 2217 ext-type 2218 Optional. STRING. A means by which to extend the type attribute. 2219 See Section 5.1.1. 2221 3.12.3. TimeImpact Class 2223 The TimeImpact class describes the impact of the incident on an 2224 organization as a function of time. It provides a way to convey down 2225 time and recovery time. 2227 +---------------------+ 2228 | TimeImpact | 2229 +---------------------+ 2230 | REAL | 2231 | | 2232 | ENUM severity | 2233 | ENUM metric | 2234 | STRING ext-metric | 2235 | ENUM duration | 2236 | STRING ext-duration | 2237 +---------------------+ 2239 Figure 24: TimeImpact Class 2241 The content of the class is of type REAL and specifies an amount of 2242 time. The duration attribute provides units for this content; and 2243 the metric attribute explains what this content is measuring. 2245 The attributes of the TimeImpact class are: 2247 severity 2248 Optional. ENUM. An estimate of the relative severity of the 2249 activity. The permitted values are shown below. There is no 2250 default value. 2252 1. low. Low severity 2254 2. medium. Medium severity 2256 3. high. High severity 2258 metric 2259 Required. ENUM. Defines the meaning of the value in the element 2260 content. These values are maintained in the "TimeImpact-metric" 2261 IANA registry per Section 10.2. 2263 1. labor. Total staff-time to recovery from the activity (e.g., 2264 2 employees working 4 hours each would be 8 hours). 2266 2. elapsed. Elapsed time from the beginning of the recovery to 2267 its completion (i.e., wall-clock time). 2269 3. downtime. Duration of time for which some provided service(s) 2270 was not available. 2272 4. ext-value. A value used to indicate that this attribute is 2273 extended and the actual value is provided using the 2274 corresponding ext-* attribute. See Section 5.1.1. 2276 ext-metric 2277 Optional. STRING. A means by which to extend the metric 2278 attribute. See Section 5.1.1. 2280 duration 2281 Optional. ENUM. Defines the unit of time for the value in the 2282 element content. The default value is "hour". These values are 2283 maintained in the "TimeImpact-duration" IANA registry per 2284 Section 10.2. 2286 1. second. The unit of the element content is seconds. 2288 2. minute. The unit of the element content is minutes. 2290 3. hour. The unit of the element content is hours. 2292 4. day. The unit of the element content is days. 2294 5. month. The unit of the element content is months. 2296 6. quarter. The unit of the element content is quarters. 2298 7. year. The unit of the element content is years. 2300 8. ext-value. A value used to indicate that this attribute is 2301 extended and the actual value is provided using the 2302 corresponding ext-* attribute. See Section 5.1.1. 2304 ext-duration 2305 Optional. STRING. A means by which to extend the duration 2306 attribute. See Section 5.1.1. 2308 3.12.4. MonetaryImpact Class 2310 The MonetaryImpact class describes the financial impact of the 2311 activity on an organization. For example, this impact may consider 2312 losses due to the cost of the investigation or recovery, diminished 2313 productivity of the staff, or a tarnished reputation that will affect 2314 future opportunities. 2316 +------------------+ 2317 | MonetaryImpact | 2318 +------------------+ 2319 | REAL | 2320 | | 2321 | ENUM severity | 2322 | STRING currency | 2323 +------------------+ 2325 Figure 25: MonetaryImpact Class 2327 The content of the class is of type REAL and specifies a quantity of 2328 money. The currency attribute defines the currently of this value. 2330 The attributes of the MonetaryImpact class are: 2332 severity 2333 Optional. ENUM. An estimate of the relative severity of the 2334 activity. The permitted values are shown below. There is no 2335 default value. 2337 1. low. Low severity 2339 2. medium. Medium severity 2341 3. high. High severity 2343 currency 2344 Optional. STRING. Defines the currency in which the value in the 2345 element content is expressed. The permitted values are defined in 2346 "Codes for the representation of currencies and funds" of 2347 [ISO4217]. There is no default value. 2349 3.12.5. Confidence Class 2351 The Confidence class represents an estimate of the validity and 2352 accuracy of data expressed in the document. This estimate can be 2353 expressed as a category or a numeric calculation. 2355 +-------------------+ 2356 | Confidence | 2357 +-------------------+ 2358 | REAL | 2359 | | 2360 | ENUM rating | 2361 | STRING ext-rating | 2362 +-------------------+ 2364 Figure 26: Confidence Class 2366 The content of the class is of type REAL and specifies a numerical 2367 assessment in the confidence of the data when the value of the rating 2368 attribute is "numeric". Otherwise, this element MUST be empty. 2370 The attributes of the Confidence class are: 2372 rating 2373 Required. ENUM. A qualitative assessment of confidence. These 2374 values are maintained in the "Confidence-rating" IANA registry per 2375 Section 10.2 2377 1. low. Low confidence. 2379 2. medium. Medium confidence. 2381 3. high. High confidence. 2383 4. numeric. The element content contains a number that conveys 2384 the confidence of the data. The semantics of this number 2385 outside the scope of this specification. 2387 5. unknown. The confidence rating value is not known. 2389 6. ext-value. A value used to indicate that this attribute is 2390 extended and the actual value is provided using the 2391 corresponding ext-* attribute. See Section 5.1.1. 2393 ext-rating 2394 Optional. STRING. A means by which to extend the rating 2395 attribute. See Section 5.1.1. 2397 3.13. History Class 2399 The History class is a log of the significant events or actions 2400 performed by the involved parties during the course of handling the 2401 incident. 2403 The level of detail maintained in this log is left up to the 2404 discretion of those handling the incident. 2406 +------------------------+ 2407 | History | 2408 +------------------------+ 2409 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 2410 | STRING ext-restriction | 2411 +------------------------+ 2413 Figure 27: The History Class 2415 The aggregate classes of the History class are: 2417 HistoryItem 2418 One or more. An entry in the history log of significant events or 2419 actions performed by the involved parties. See Section 3.13.1. 2421 The attributes of the History class are: 2423 restriction 2424 Optional. ENUM. See Section 3.3.1. 2426 ext-restriction 2427 Optional. STRING. A means by which to extend the restriction 2428 attribute. See Section 5.1.1. 2430 3.13.1. HistoryItem Class 2432 The HistoryItem class is an entry in the History (Section 3.13) log 2433 that documents a particular action or event that occurred in the 2434 course of handling the incident. The details of the entry are a 2435 free-form text description, but each can be categorized with the type 2436 attribute. 2438 +-------------------------+ 2439 | HistoryItem | 2440 +-------------------------+ 2441 | ENUM action |<>----------[ DateTime ] 2442 | STRING ext-action |<>--{0..1}--[ IncidentID ] 2443 | ENUM restriction |<>--{0..1}--[ Contact ] 2444 | STRING ext-restriction |<>--{0..*}--[ Description ] 2445 | ID observable-id |<>--{0..*}--[ DefinedCOA ] 2446 | |<>--{0..*}--[ AdditionalData ] 2447 +-------------------------+ 2449 Figure 28: HistoryItem Class 2451 The aggregate classes of the HistoryItem class are: 2453 DateTime 2454 One. DATETIME. A timestamp of this entry in the history log. 2456 IncidentID 2457 Zero or One. In a history log created by multiple parties, the 2458 IncidentID provides a mechanism to specify which CSIRT created a 2459 particular entry and references this organization's tracking 2460 number. When a single organization is maintaining the log, this 2461 class can be ignored. See Section 3.4. 2463 Contact 2464 Zero or One. Provides contact information for the entity that 2465 performed the action documented in this class. See Section 3.9. 2467 Description 2468 Zero or more. ML_STRING. A free-form text description of the 2469 action or event. 2471 DefinedCOA 2472 Zero or more. STRING. An identifier meaningful to the sender and 2473 recipient of this document that references a course of action. 2474 This class MUST be present if the action attribute is set to 2475 "defined-coa". 2477 AdditionalData 2478 Zero or more. EXTENSION. A mechanism by which to extend the data 2479 model. 2481 The attributes of the HistoryItem class are: 2483 action 2484 Required. ENUM. Classifies a performed action or occurrence 2485 documented in this history log entry. As activity will likely 2486 have been instigated either through a previously conveyed 2487 expectation or internal investigation. This attribute is 2488 identical to the action attribute of the Expectation class. The 2489 difference is only one of tense. When an action is in this class, 2490 it has been completed. See Section 3.15. 2492 ext-action 2493 Optional. STRING. A means by which to extend the action 2494 attribute. See Section 5.1.1. 2496 restriction 2497 Optional. ENUM. See Section 3.3.1. 2499 ext-restriction 2500 Optional. STRING. A means by which to extend the restriction 2501 attribute. See Section 5.1.1. 2503 observable-id 2504 Optional. ID. See Section 3.3.2. 2506 3.14. EventData Class 2508 The EventData class is a container class to organize data about 2509 events that occurred during an incident. 2511 +-------------------------+ 2512 | EventData | 2513 +-------------------------+ 2514 | ENUM restriction |<>--{0..*}--[ Description ] 2515 | STRING ext-restriction |<>--{0..1}--[ DetectTime ] 2516 | ID observable-id |<>--{0..1}--[ StartTime ] 2517 | |<>--{0..1}--[ EndTime ] 2518 | |<>--{0..1}--[ RecoveryTime ] 2519 | |<>--{0..1}--[ ReportTime ] 2520 | |<>--{0..*}--[ Contact ] 2521 | |<>--{0..*}--[ Discovery ] 2522 | |<>--{0..1}--[ Assessment ] 2523 | |<>--{0..*}--[ Method ] 2524 | |<>--{0..*}--[ Flow ] 2525 | |<>--{0..*}--[ Expectation ] 2526 | |<>--{0..1}--[ Record ] 2527 | |<>--{0..*}--[ EventData ] 2528 | |<>--{0..*}--[ AdditionalData ] 2529 +-------------------------+ 2531 Figure 29: The EventData Class 2533 The aggregate classes of the EventData class are: 2535 Description 2536 Zero or more. ML_STRING. A free-form text description of the 2537 event. 2539 DetectTime 2540 Zero or one. DATETIME. The time the event was detected. 2542 StartTime 2543 Zero or one. DATETIME. The time the event started. 2545 EndTime 2546 Zero or one. DATETIME. The time the event ended. 2548 RecoveryTime 2549 Zero or one. DATETIME. The time the site recovered from the 2550 event. 2552 ReportTime 2553 One. DATETIME. The time the event was reported. 2555 Contact 2556 Zero or more. Contact information for the parties involved in the 2557 event. See Section 3.9. 2559 Discovery 2560 Zero or more. The means by which the event was detected. See 2561 Section 3.10. 2563 Assessment 2564 Zero or one. The impact of the event on the victim and the 2565 actions taken. See Section 3.12. 2567 Method 2568 Zero or more. The technique used by the threat actor in the 2569 event. See Section 3.11. 2571 Flow 2572 Zero or more. A description of the systems or networks involved. 2573 See Section 3.16. 2575 Expectation 2576 Zero or more. The expected action to be performed by the 2577 recipient for the described event. See Section 3.15. 2579 Record 2580 Zero or one. Supportive data (e.g., log files) that provides 2581 additional information about the event. See Section 3.22. 2583 EventData 2584 Zero or more. A recursive definition of the EventData class. See 2585 Section 3.14.2 for an explanation on using this class. 2587 AdditionalData 2588 Zero or more. EXTENSION. An extension mechanism for data not 2589 explicitly represented in the data model. 2591 At least one of the aggregate classes MUST be present in an instance 2592 of the EventData class. 2594 The attributes of the EventData class are: 2596 restriction 2597 Optional. ENUM. See Section 3.3.1. The default value is 2598 "default". 2600 ext-restriction 2601 Optional. STRING. A means by which to extend the restriction 2602 attribute. See Section 5.1.1. 2604 observable-id 2605 Optional. ID. See Section 3.3.2. 2607 3.14.1. Relating the Incident and EventData Classes 2609 There is substantial overlap in the child classes aggregated in the 2610 Incident and EventData classes. Nevertheless, the semantics of these 2611 classes are quite different. The Incident class provides summary 2612 information about the entire incident, while the EventData class 2613 provides information about the individual events comprising the 2614 incident. In the common case, the EventData class will provide more 2615 specific information for the general description provided in the 2616 Incident class. However, in the case where the summarized 2617 information in the Incident class conflicts the detailed information 2618 in an EventData class the more specific EventData class MUST 2619 supersede the more generic information provided in Incident class. 2621 3.14.2. Recursive Definition of EventData 2623 The EventData class is container for the properties of an event in an 2624 incident. These properties include: the hosts involved, impact of 2625 the incident activity on the hosts, forensic logs, etc. The 2626 recursive definition of EventData allows for the grouping of related 2627 information with common properties. This approach eliminates the 2628 need for explicit identifiers to relate information or duplicate it. 2629 Instead, the relative depth (nesting) of a class is used to group 2630 (relate) information. 2632 For example, consider a case where two hosts experience different 2633 impacts during an incident. However, these two hosts have common 2634 contact information. A depiction of how this situation would be 2635 represented can be found in Figure 30. EventData (2) and (3) group 2636 each of the two hosts with their unique impact. EventData (1) 2637 describes the common Contact class these two hosts share. 2639 +------------------+ 2640 | EventData (1) | 2641 +------------------+ 2642 | |<>----[ Contact ] 2643 | | 2644 | |<>----[ EventData (2) ]<>----[ Flow ] 2645 | | [ ]<>----[ Assessment ] 2646 | | 2647 | |<>----[ EventData (3) ]<>----[ Flow ] 2648 | | [ ]<>----[ Assessment ] 2649 +------------------+ 2651 Figure 30: Recursion in the EventData Class 2653 3.15. Expectation Class 2655 The Expectation class conveys to the recipient of the IODEF document 2656 the actions the sender is requesting. 2658 +-------------------------+ 2659 | Expectation | 2660 +-------------------------+ 2661 | ENUM action |<>--{0..*}--[ Description ] 2662 | STRING ext-action |<>--{0..*}--[ DefinedCOA ] 2663 | ENUM severity |<>--{0..1}--[ StartTime ] 2664 | ENUM restriction |<>--{0..1}--[ EndTime ] 2665 | STRING ext-restriction |<>--{0..1}--[ Contact ] 2666 | ID observable-id | 2667 +-------------------------+ 2669 Figure 31: The Expectation Class 2671 The aggregate classes of the Expectation class are: 2673 Description 2674 Zero or more. ML_STRING. A free-form text description of the 2675 desired action(s). 2677 DefinedCOA 2678 Zero or more. STRING. A unique identifier meaningful to the 2679 sender and recipient of this document that references a course of 2680 action. This class MUST be present if the action attribute is set 2681 to "defined-coa". 2683 StartTime 2684 Zero or one. DATETIME. The time at which the sender would like 2685 the action performed. A timestamp that is earlier than the 2686 ReportTime specified in the Incident class denotes that the sender 2687 would like the action performed as soon as possible. The absence 2688 of this element indicates no expectations of when the recipient 2689 would like the action performed. 2691 EndTime 2692 Zero or one. DATETIME. The time by which the sender expects the 2693 recipient to complete the action. If the recipient cannot 2694 complete the action before EndTime, the recipient MUST NOT carry 2695 out the action. Because of transit delays and clock drift the 2696 sender MUST be prepared for the recipient to have carried out the 2697 action, even if it completes past EndTime. 2699 Contact 2700 Zero or one. The entity expected to perform the action. See 2701 Section 3.9. 2703 The attributes of the Expectation class are: 2705 action 2706 Optional. ENUM. Classifies the type of action requested. The 2707 default value of "other". These values are maintained in the 2708 "Expectation-action" IANA registry per Section 10.2. 2710 1. nothing. No action is requested. Do nothing with the 2711 information. 2713 2. contact-source-site. Contact the site(s) identified as the 2714 source of the activity. 2716 3. contact-target-site. Contact the site(s) identified as the 2717 target of the activity. 2719 4. contact-sender. Contact the originator of the document. 2721 5. investigate. Investigate the systems(s) listed in the event. 2723 6. block-host. Block traffic from the machine(s) listed as 2724 sources the event. 2726 7. block-network. Block traffic from the network(s) lists as 2727 sources in the event. 2729 8. block-port. Block the port listed as sources in the event. 2731 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2732 listed as sources in the event. 2734 10. rate-limit-network. Rate-limit the traffic from the 2735 network(s) lists as sources in the event. 2737 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2738 the event. 2740 12. redirect-traffic. Redirect traffic from the intended 2741 recipient for further analysis. 2743 13. honeypot. Redirect traffic from systems listed in the event 2744 to a honeypot for further analysis. 2746 14. upgrade-software. Upgrade or patch the software or firmware 2747 on an asset listed in the event. 2749 15. rebuild-asset. Reinstall the operating system or 2750 applications on an asset listed in the event. 2752 16. harden-asset. Change the configuration an asset listed in 2753 the event to reduce the attack surface. 2755 17. remediate-other. Remediate the activity in a way other than 2756 by rate limiting or blocking. 2758 18. status-triage. Confirm receipt and begin triaging the 2759 incident. 2761 19. status-new-info. Notify the sender when new information is 2762 received for this incident. 2764 20. watch-and-report. Watch for the described activity or 2765 indicators; and notify the sender when seen. 2767 21. training. Train user to identify or mitigate the described 2768 threat. 2770 22. defined-coa. Perform a predefined course of action (COA). 2771 The COA is named in the DefinedCOA class. 2773 23. other. Perform a custom action described in the Description 2774 class. 2776 24. ext-value. A value used to indicate that this attribute is 2777 extended and the actual value is provided using the 2778 corresponding ext-* attribute. See Section 5.1.1. 2780 ext-action 2781 Optional. STRING. A means by which to extend the action 2782 attribute. See Section 5.1.1. 2784 severity 2785 Optional. ENUM. Indicates the desired priority of the action. 2786 This attribute is an enumerated list with no default value, and 2787 the semantics of these relative measures are context dependent. 2789 1. low. Low priority 2791 2. medium. Medium priority 2793 3. high. High priority 2795 restriction 2796 Optional. ENUM. See Section 3.3.1. The default value is 2797 "default". 2799 ext-restriction 2800 Optional. STRING. A means by which to extend the restriction 2801 attribute. See Section 5.1.1. 2803 observable-id 2804 Optional. ID. See Section 3.3.2. 2806 3.16. Flow Class 2808 The Flow class describes the systems and networks involved in the 2809 incident; and the relationships between them. 2811 +------------------+ 2812 | Flow | 2813 +------------------+ 2814 | |<>--{1..*}--[ System ] 2815 +------------------+ 2817 Figure 32: The Flow Class 2819 The aggregate class of the Flow class is: 2821 System 2822 One or More. A host or network involved in an event. See 2823 Section 3.17. 2825 The Flow class has no attributes. 2827 3.17. System Class 2829 The System class describes a system or network involved in an event. 2831 +------------------------+ 2832 | System | 2833 +------------------------+ 2834 | ENUM category |<>----------[ Node ] 2835 | STRING ext-category |<>--{0..*}--[ NodeRole ] 2836 | STRING interface |<>--{0..*}--[ Service ] 2837 | ENUM spoofed |<>--{0..*}--[ OperatingSystem ] 2838 | ENUM virtual |<>--{0..*}--[ Counter ] 2839 | ENUM ownership |<>--{0..*}--[ AssetID ] 2840 | STRING ext-ownership |<>--{0..*}--[ Description ] 2841 | ENUM restriction |<>--{0..*}--[ AdditionalData ] 2842 | STRING ext-restriction | 2843 +------------------------+ 2845 Figure 33: The System Class 2847 The aggregate classes of the System class are: 2849 Node 2850 One. A host or network involved in the incident. See 2851 Section 3.18. 2853 NodeRole 2854 Zero or more. The intended purpose of the system. See 2855 Section 3.18.2. 2857 Service 2858 Zero or more. A network service running on the system. See 2859 Section 3.20. 2861 OperatingSystem 2862 Zero or more. SOFTWARE. The operating system running on the 2863 system. 2865 Counter 2866 Zero or more. A counter with which to summarize properties of 2867 this host or network. See Section 3.18.3. 2869 AssetID 2870 Zero or more. STRING. An asset identifier for the System. 2872 Description 2873 Zero or more. ML_STRING. A free-form text description of the 2874 System. 2876 AdditionalData 2877 Zero or more. EXTENSION. A mechanism by which to extend the data 2878 model. 2880 The attributes of the System class are: 2882 category 2883 Optional. ENUM. Classifies the role the host or network played 2884 in the incident. These values are maintained in the "System- 2885 category" IANA registry per Section 10.2. 2887 1. source. The System was the source of the event. 2889 2. target. The System was the target of the event. 2891 3. intermediate. The System was an intermediary in the event. 2893 4. sensor. The System was a sensor monitoring the event. 2895 5. infrastructure. The System was an infrastructure node of 2896 IODEF document exchange. 2898 6. ext-value. A value used to indicate that this attribute is 2899 extended and the actual value is provided using the 2900 corresponding ext-* attribute. See Section 5.1.1. 2902 ext-category 2903 Optional. STRING. A means by which to extend the category 2904 attribute. See Section 5.1.1. 2906 interface 2907 Optional. STRING. Specifies the interface on which the event(s) 2908 on this System originated. If the Node class specifies a network 2909 rather than a host, this attribute has no meaning. 2911 spoofed 2912 Optional. ENUM. An indication of confidence in whether this 2913 System was the true target or attacking host. The permitted 2914 values for this attribute are shown below. The default value is 2915 "unknown". 2917 1. unknown. The accuracy of the category attribute value is 2918 unknown. 2920 2. yes. The category attribute value is likely incorrect. In 2921 the case of a source, the System is likely a decoy; with a 2922 target, the System was likely not the intended victim. 2924 3. no. The category attribute value is believed to be correct. 2926 virtual 2927 Optional. ENUM. Indicates whether this System is a virtual or 2928 physical device. The default value is "unknown". 2930 1. yes. The System is a virtual device. 2932 2. no. The System is a physical device. 2934 3. unknown. It is not known if the System is virtual. 2936 ownership 2937 Optional. ENUM. Describes the ownership of this System relative 2938 to the victim in the incident. These values are maintained in the 2939 "System-ownership" IANA registry per Section 10.2. 2941 1. organization. Corporate or enterprise-owned. 2943 2. personal. Personally-owned by an employee or affiliate of the 2944 corporation or enterprise. 2946 3. partner. Owned by a partner of the corporation or enterprise. 2948 4. customer. Owned by a customer of the corporation or 2949 enterprise. 2951 5. no-relationship. Owned by an entity that has no known 2952 relationship with victim organization. 2954 6. unknown. Ownership is unknown. 2956 7. ext-value. A value used to indicate that this attribute is 2957 extended and the actual value is provided using the 2958 corresponding ext-* attribute. See Section 5.1.1. 2960 ext-ownership 2961 Optional. STRING. A means by which to extend the ownership 2962 attribute. See Section 5.1.1. 2964 restriction 2965 Optional. ENUM. See Section 3.3.1. 2967 ext-restriction 2968 Optional. STRING. A means by which to extend the restriction 2969 attribute. See Section 5.1.1. 2971 3.18. Node Class 2973 The Node class identifies a system, asset or network; and its 2974 location. 2976 +---------------+ 2977 | Node | 2978 +---------------+ 2979 | |<>--{0..*}--[ DomainData ] 2980 | |<>--{0..*}--[ Address ] 2981 | |<>--{0..1}--[ PostalAddress ] 2982 | |<>--{0..*}--[ Location ] 2983 | |<>--{0..*}--[ Counter ] 2984 +---------------+ 2986 Figure 34: The Node Class 2988 The aggregate classes of the Node class are: 2990 DomainData 2991 Zero or more. The domain (DNS) information associated with this 2992 Node. If an Address is not provided, at least one DomainData MUST 2993 be specified. See Section 3.19. 2995 Address 2996 Zero or more. The hardware, network, or application address of 2997 the Node. If a DomainData is not provided, at least one Address 2998 MUST be specified. See Section 3.18.1. 3000 PostalAddress 3001 Zero or one. POSTAL. The postal address of the node. 3003 Location 3004 Zero or more. ML_STRING. A free-form text description of the 3005 physical location of the Node. This description may provide a 3006 more detailed description of where in the PostalAddress this Node 3007 is found (e.g., room number, rack number, slot number in a 3008 chassis). 3010 Counter 3011 Zero or more. A counter with which to summarizes properties of 3012 this host or network. See Section 3.18.3. 3014 The Node class has no attributes. 3016 3.18.1. Address Class 3018 The Address class represents a hardware (layer-2), network (layer-3), 3019 or application (layer-7) address. 3021 +-------------------------+ 3022 | Address | 3023 +-------------------------+ 3024 | STRING | 3025 | | 3026 | ENUM category | 3027 | STRING ext-category | 3028 | STRING vlan-name | 3029 | INTEGER vlan-num | 3030 | ID observable-id | 3031 +-------------------------+ 3033 Figure 35: The Address Class 3035 The content of the class is an address of type STRING whose semantics 3036 are determined by the category attribute. 3038 The attributes of the Address class are: 3040 category 3041 Required. ENUM. The type of address represented. The default 3042 value is "ipv6-addr". These values are maintained in the 3043 "Address-category" IANA registry per Section 10.2. 3045 1. asn. Autonomous System Number. 3047 2. atm. Asynchronous Transfer Mode (ATM) address. 3049 3. e-mail. Email address (RFC 822). 3051 4. ipv4-addr. IPv4 host address in dotted-decimal notation 3052 (a.b.c.d). 3054 5. ipv4-net. IPv4 network address in dotted-decimal notation, 3055 slash, significant bits (i.e., a.b.c.d/nn). 3057 6. ipv4-net-mask. IPv4 network address in dotted-decimal 3058 notation, slash, network mask in dotted-decimal notation 3059 (i.e., a.b.c.d/w.x.y.z). 3061 7. ipv6-addr. IPv6 host address. 3063 8. ipv6-net. IPv6 network address, slash, significant bits. 3065 9. ipv6-net-mask. IPv6 network address, slash, network mask. 3067 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f). 3069 11. site-uri. A URL or URI for a resource. 3071 12. ext-value. A value used to indicate that this attribute is 3072 extended and the actual value is provided using the 3073 corresponding ext-* attribute. See Section 5.1.1. 3075 ext-category 3076 Optional. STRING. A means by which to extend the category 3077 attribute. See Section 5.1.1. 3079 vlan-name 3080 Optional. STRING. The name of the Virtual LAN to which the 3081 address belongs. 3083 vlan-num 3084 Optional. STRING. The number of the Virtual LAN to which the 3085 address belongs. 3087 observable-id 3088 Optional. ID. See Section 3.3.2. 3090 3.18.2. NodeRole Class 3092 The NodeRole class describes the function performed by or role of a 3093 particular system, asset or network. 3095 +-----------------------+ 3096 | NodeRole | 3097 +-----------------------+ 3098 | ENUM category |<>--{0..*}--[ Description ] 3099 | STRING ext-category | 3100 +-----------------------+ 3102 Figure 36: The NodeRole Class 3104 The aggregate class of the NodeRole class is: 3106 Description 3107 Zero or more. ML_STRING. A free-form text description of the 3108 role of the system. 3110 The attributes of the NodeRole class are: 3112 category 3113 Required. ENUM. Function or role of a node. These values are 3114 maintained in the "NodeRole-category" IANA registry per 3115 Section 10.2. 3117 1. client. Client computer. 3119 2. client-enterprise. Client computer on the enterprise 3120 network. 3122 3. client-partner. Client computer on network of a partner. 3124 4. client-remote. Client computer remotely connected to the 3125 enterprise network. 3127 5. client-kiosk. Client computer serving as a kiosk. 3129 6. client-mobile. Mobile device. 3131 7. server-internal. Server with internal services. 3133 8. server-public. Server with public services. 3135 9. www. WWW server. 3137 10. mail. Mail server. 3139 11. webmail. Web mail server. 3141 12. messaging. Messaging server (e.g., NNTP, IRC, IM). 3143 13. streaming. Streaming-media server. 3145 14. voice. Voice server (e.g., SIP, H.323). 3147 15. file. File server. 3149 16. ftp. FTP server. 3151 17. p2p. Peer-to-peer node. 3153 18. name. Name server (e.g., DNS, WINS). 3155 19. directory. Directory server (e.g., LDAP, finger, whois). 3157 20. credential. Credential server (e.g., domain controller, 3158 Kerberos). 3160 21. print. Print server. 3162 22. application. Application server. 3164 23. database. Database server. 3166 24. backup. Backup server. 3168 25. dhcp. DHCP server. 3170 26. assessment. Assessment server (e.g., vulnerability scanner, 3171 end-point assessment). 3173 27. source-control. Source code control server. 3175 28. config-management. Configuration management server. 3177 29. monitoring. Security monitoring server (e.g., IDS). 3179 30. infra. Infrastructure server (e.g., router, firewall, DHCP). 3181 31. infra-firewall. Firewall. 3183 32. infra-router. Router. 3185 33. infra-switch. Switch. 3187 34. camera. Camera and video system. 3189 35. proxy. Proxy server. 3191 36. remote-access. Remote access server. 3193 37. log. Log server (e.g., syslog). 3195 38. virtualization. Server running virtual machines. 3197 39. pos. Point-of-sale device. 3199 40. scada. Supervisory control and data acquisition (SCADA) 3200 system. 3202 41. scada-supervisory. Supervisory system for a SCADA. 3204 42. sinkhole. Traffic sinkhole destination. 3206 43. honeypot. Honeypot server. 3208 44. anonymization. Anonymization server (e.g., Tor node). 3210 45. c2-server. Malicious command and control server. 3212 46. malware-distribution. Server that distributes malware 3214 47. drop-server. Server to which exfiltrated content is 3215 uploaded. 3217 48. hop-point. Intermediary server used to get to a victim. 3219 49. reflector. A system used in a reflector attack. 3221 50. phishing-site. Site hosting phishing content. 3223 51. spear-phishing-site. Site hosting spear-phishing content. 3225 52. recruiting-site. Site to recruit. 3227 53. fraudulent-site. Fraudulent site. 3229 54. ext-value. A value used to indicate that this attribute is 3230 extended and the actual value is provided using the 3231 corresponding ext-* attribute. See Section 5.1.1. 3233 ext-category 3234 Optional. STRING. A means by which to extend the category 3235 attribute. See Section 5.1.1. 3237 3.18.3. Counter Class 3239 The Counter class summarizes multiple occurrences of an event or 3240 conveys counts or rates of various features. 3242 The complete semantics of this class are context dependent based on 3243 the class in which it is aggregated. 3245 +---------------------+ 3246 | Counter | 3247 +---------------------+ 3248 | REAL | 3249 | | 3250 | ENUM type | 3251 | STRING ext-type | 3252 | ENUM unit | 3253 | STRING ext-unit | 3254 | STRING meaning | 3255 | ENUM duration | 3256 | STRING ext-duration | 3257 +---------------------+ 3259 Figure 37: The Counter Class 3261 The content of the class is a value of type REAL whose meaning and 3262 units are determined by the type and duration attributes, 3263 respectively. If the duration attribute is present, the element 3264 content is a rather. Otherwise, it is a simple counter. 3266 The attributes of the Counter class are: 3268 type 3269 Required. ENUM. Specifies the type of counter specified in the 3270 element content. These values are maintained in the "Counter- 3271 type" IANA registry per Section 10.2. 3273 1. count. The Counter class value is a counter. 3275 2. peak. The Counter class value is a peak value. 3277 3. average. The Counter class value is an average. 3279 4. ext-value. A value used to indicate that this attribute is 3280 extended and the actual value is provided using the 3281 corresponding ext-* attribute. See Section 5.1.1. 3283 ext-type 3284 Optional. STRING. A means by which to extend the type attribute. 3285 See Section 5.1.1. 3287 unit 3288 Required. ENUM. Specifies the units of the element content. 3289 These values are maintained in the "Counter-unit" IANA registry 3290 per Section 10.2. 3292 1. byte. Bytes transferred. 3294 2. mbit. Megabits (Mbits) transfered. 3296 3. packet. Packets. 3298 4. flow. Network flow records. 3300 5. session. Sessions. 3302 6. alert. Notifications generated by another system (e.g., IDS 3303 or SIM). 3305 7. message. Messages (e.g., mail messages). 3307 8. event. Events. 3309 9. host. Hosts. 3311 10. site. Site. 3313 11. organization. Organizations. 3315 12. ext-value. A value used to indicate that this attribute is 3316 extended and the actual value is provided using the 3317 corresponding ext-* attribute. See Section 5.1.1. 3319 ext-unit 3320 Optional. STRING. A means by which to extend the unit attribute. 3321 See Section 5.1.1. 3323 meaning 3324 Optional. STRING. A free-form text description of the metric 3325 represented by the Counter. 3327 duration 3328 Optional. ENUM. If present, the Counter class represents a rate. 3329 This attribute specifies unit of time over which the rate whose 3330 units are specified in the unit attribute is being conveyed. This 3331 attribute is the the denominator of the rate (where the unit 3332 attribute specified the nominator). The possible values of this 3333 attribute are defined in the duration attribute of Section 3.12.3 3335 ext-duration 3336 Optional. STRING. A means by which to extend the duration 3337 attribute. See Section 5.1.1. 3339 3.19. DomainData Class 3341 The DomainData class describes a domain name and meta-data associated 3342 with this domain. 3344 +--------------------------+ 3345 | DomainData | 3346 +--------------------------+ 3347 | ENUM system-status |<>----------[ Name ] 3348 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] 3349 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 3350 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] 3351 | ID observable-id |<>--{0..*}--[ RelatedDNS ] 3352 | |<>--{0..*}--[ Nameservers ] 3353 | |<>--{0..1}--[ DomainContacts ] 3354 +--------------------------+ 3356 Figure 38: The DomainData Class 3358 The aggregate classes of the DomainData class are: 3360 Name 3361 One. STRING. The domain name of a system. 3363 DateDomainWasChecked 3364 Zero or one. DATETIME. A timestamp of when the domain listed in 3365 the Name class was resolved. 3367 RegistrationDate 3368 Zero or one. DATETIME. A timestamp of when domain listed in Name 3369 class was registered. 3371 ExpirationDate 3372 Zero or one. DATETIME. A timestamp of when the domain listed in 3373 Name class is set to expire. 3375 RelatedDNS 3376 Zero or more. EXTENSION. Additional DNS records associated with 3377 this domain. 3379 Nameservers 3380 Zero or more. The name servers identified for the domain listed 3381 in Name class. See Section 3.19.1. 3383 DomainContacts 3384 Zero or one. Contact information for the domain listed in Name 3385 class supplied by the registrar or through a whois query. 3387 The attributes of the DomainData class are: 3389 system-status 3390 Required. ENUM. Assesses the domain's involvement in the event. 3391 These values are maintained in the "DomainData-system-status" IANA 3392 registry per Section 10.2. 3394 1. spoofed. This domain was spoofed. 3396 2. fraudulent. This domain was operated with fraudulent 3397 intentions. 3399 3. innocent-hacked. This domain was compromised by a third 3400 party. 3402 4. innocent-hijacked. This domain was deliberately hijacked. 3404 5. unknown. No categorization for this domain known. 3406 6. ext-value. A value used to indicate that this attribute is 3407 extended and the actual value is provided using the 3408 corresponding ext-* attribute. See Section 5.1.1. 3410 ext-system-status 3411 Optional. STRING. A means by which to extend the system-status 3412 attribute. See Section 5.1.1. 3414 domain-status 3415 Required. ENUM. Categorizes the registry status of the domain at 3416 the time the document was generated. These values and their 3417 associated descriptions are derived from Section 3.2.2 of 3418 [RFC3982]. These values are maintained in the "DomainData-domain- 3419 status" IANA registry per Section 10.2. 3421 1. reservedDelegation. The domain is permanently inactive. 3423 2. assignedAndActive. The domain is in a normal state. 3425 3. assignedAndInactive. The domain has an assigned registration 3426 but the delegation is inactive. 3428 4. assignedAndOnHold. The domain is in dispute. 3430 5. revoked. The domain is in the process of being purged from 3431 the database. 3433 6. transferPending. The domain is pending a change in 3434 authority. 3436 7. registryLock. The domain is on hold by the registry. 3438 8. registrarLock. Same as "registryLock". 3440 9. other. The domain has a known status but it is not one of 3441 the redefined enumerated values. 3443 10. unknown. The domain has an unknown status. 3445 11. ext-value. A value used to indicate that this attribute is 3446 extended and the actual value is provided using the 3447 corresponding ext-* attribute. See Section 5.1.1. 3449 ext-domain-status 3450 Optional. STRING. A means by which to extend the domain-status 3451 attribute. See Section 5.1.1. 3453 observable-id 3454 Optional. ID. See Section 3.3.2. 3456 3.19.1. Nameservers Class 3458 The Nameservers class describes the name servers associated with a 3459 given domain. 3461 +--------------------+ 3462 | Nameservers | 3463 +--------------------+ 3464 | |<>----------[ Server ] 3465 | |<>--{1..*}--[ Address ] 3466 +--------------------+ 3468 Figure 39: The Nameservers Class 3470 The aggregate classes of the Nameservers class are: 3472 Server 3473 One. STRING. The domain name of the name server. 3475 Address 3476 One or more. The address of the name server. The value of the 3477 category attribute MUST be either "ipv4-addr" or "ipv6-addr". See 3478 Section 3.18.1. 3480 The Nameservers class has no attributes. 3482 3.19.2. DomainContacts Class 3484 The DomainContacts class describes the contact information for a 3485 given domain provided either by the registrar or through a whois 3486 query. 3488 This contact information can be explicitly described through a 3489 Contact class or a reference can be provided to a domain with 3490 identical contact information. Either a single SameDomainContact 3491 MUST be present or one or more Contact classes. 3493 +--------------------+ 3494 | DomainContacts | 3495 +--------------------+ 3496 | |<>--{0..1}--[ SameDomainContact ] 3497 | |<>--{1..*}--[ Contact ] 3498 +--------------------+ 3500 Figure 40: The DomainContacts Class 3502 The aggregate classes of the DomainContacts class are: 3504 SameDomainContact 3505 Zero or one. STRING. A domain name already cited in this 3506 document or through previous exchange that contains the identical 3507 contact information as the domain name in question. The domain 3508 contact information associated with this domain should be used 3509 instead of an explicit definition with the Contact class. 3511 Contact 3512 One or more. Contact information for the domain. See 3513 Section 3.9. 3515 The DomainContacts class has no attributes. 3517 3.20. Service Class 3519 The Service class describes a network service. The service is 3520 described by protocol, port, protocol header field and application 3521 providing or using the service. 3523 +-------------------------+ 3524 | Service | 3525 +-------------------------+ 3526 | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] 3527 | ID observable-id |<>--{0..1}--[ Port ] 3528 | |<>--{0..1}--[ Portlist ] 3529 | |<>--{0..1}--[ ProtoCode ] 3530 | |<>--{0..1}--[ ProtoType ] 3531 | |<>--{0..1}--[ ProtoField ] 3532 | |<>--{0..1}--[ ApplicationHeader ] 3533 | |<>--{0..1}--[ EmailData ] 3534 | |<>--{0..1}--[ Application ] 3535 +-------------------------+ 3537 Figure 41: The Service Class 3539 The aggregate classes of the Service class are: 3541 ServiceName 3542 Zero or one. A protocol name. 3544 Port 3545 Zero or one. INTEGER. A port number. 3547 Portlist 3548 Zero or one. PORTLIST. A list of port numbers. 3550 ProtoCode 3551 Zero or one. INTEGER. A transport layer (layer 4) protocol- 3552 specific code field (e.g., ICMP code field). 3554 ProtoType 3555 Zero or one. INTEGER. A transport layer (layer 4) protocol 3556 specific type field (e.g., ICMP type field). 3558 ProtoField 3559 Zero or one. INTEGER. A transport layer (layer 4) protocol 3560 specific flag field (e.g., TCP flag field). 3562 ApplicationHeader 3563 Zero or one. A protocol header. See Section 3.20.2. 3565 EmailData 3566 Zero or one. Headers associated with an email message. See 3567 Section 3.21. 3569 Application 3570 Zero or one. SOFTWARE. The application acting as either the 3571 client or server for the service. 3573 At least one of these classes MUST be present. 3575 When a given System classes with category="source" and another with 3576 category="target" are aggregated into a single Flow class, and each 3577 of these System classes has a Service and Portlist class, an implicit 3578 relationship between these Portlists exists. If N ports are listed 3579 for a System@category="source", and M ports are listed for 3580 System@category="target", the number of ports in N must be equal to 3581 M. Likewise, the ports MUST be listed in an identical sequence such 3582 that the n-th port in the source corresponds to the n-th port of the 3583 target. If N is greater than 1, a given instance of a Flow class 3584 MUST only have a single instance of a System@category="source" and 3585 System@category="target". 3587 The attributes of the Service class are: 3589 ip-protocol 3590 Optional. INTEGER. The IANA assigned IP protocol number per 3591 [IANA.Protocols] The attribute MUST be set if a Port, Portlist, 3592 ProtoCode, ProtoType, ProtoField class is present. 3594 observable-id 3595 Optional. ID. See Section 3.3.2. 3597 3.20.1. ServiceName Class 3599 The ServiceName class identifies an application protocol. It can be 3600 described by referencing an IANA registered protocol, a URL or with 3601 free-form text. 3603 +--------------------+ 3604 | ServiceName | 3605 +--------------------+ 3606 | |<>--{0..1}--[ IANAService ] 3607 | |<>--{0..*}--[ URL ] 3608 | |<>--{0..*}--[ Description ] 3609 +--------------------+ 3611 Figure 42: The ServiceName Class 3613 The aggregate classes of the ServiceName class are: 3615 IANAService 3616 Zero or one. STRING. The name of the service per the "Service 3617 Name" field of the [IANA.Ports] registry. 3619 URL 3620 Zero or more. URL. A URL to a resource describing the service. 3622 Description 3623 Zero or more. ML_STRING. A free-form text description of the 3624 service. 3626 At least one of these classes MUST be present. 3628 The ServiceName class has no attributes. 3630 3.20.2. ApplicationHeader Class 3632 The ApplicationHeader class describes arbitrary fields from a 3633 protocol header and its corresponding value. 3635 +--------------------------+ 3636 | ApplicationHeader | 3637 +--------------------------+ 3638 | |<>--{1..*}--[ ApplicationHeaderField ] 3639 +--------------------------+ 3641 Figure 43: The ApplicationHeader Class 3643 The aggregate class of the ApplicationHeader class is: 3645 ApplicationHeaderField 3646 One or more. EXTENSION. A field name and value in a protocol 3647 header. The 'name' attribute MUST be set to the field name. The 3648 field value MUST be set in the element content. 3650 The ApplicationHeader class has no attributes. 3652 3.21. EmailData Class 3654 The EmailData class describes headers from an email message and 3655 cryptographic hash and signatures applied to it. 3657 +-------------------------+ 3658 | EmailData | 3659 +-------------------------+ 3660 | ID observable-id |<>--{0..*}--[ EmailTo ] 3661 | |<>--{0..1}--[ EmailFrom ] 3662 | |<>--{0..1}--[ EmailSubject ] 3663 | |<>--{0..1}--[ EmailX-Mailer ] 3664 | |<>--{0..*}--[ EmailHeaderField ] 3665 | |<>--{0..1}--[ EmailHeaders ] 3666 | |<>--{0..1}--[ EmailBody ] 3667 | |<>--{0..1}--[ EmailMessage ] 3668 | |<>--{0..*}--[ HashData ] 3669 | |<>--{0..*}--[ SignatureData ] 3670 +-------------------------+ 3672 Figure 44: EmailData Class 3674 The aggregate classes of the EmailData class are: 3676 EmailTo 3677 Zero or more. EMAIL. The value of the "To:" header field 3678 (Section 3.6.3 of [RFC5322]) in an email. 3680 EmailFrom 3681 Zero or one. EMAIL. The value of the "From:" header field 3682 (Section 3.6.2 of [RFC5322]) in an email. 3684 EmailSubject 3685 Zero or one. STRING. The value of the "Subject:" header field in 3686 an email. See Section 3.6.4 of [RFC5322]. 3688 EmailX-Mailer 3689 Zero or one. STRING. The value of the "X-Mailer:" header field 3690 in an email. 3692 EmailHeaderField 3693 Zero or more. EXTENSION. The header name and value of an 3694 arbitrary header field of the email message. The 'name' attribute 3695 MUST be set to header name. The header value MUST be set in the 3696 element body. The dtype attribute MUST be set to "string". 3698 EmailHeaders 3699 Zero or one. STRING. The headers of an email message. 3701 EmailBody 3702 Zero or one. STRING. The body of an email message. 3704 EmailMessage 3705 Zero or one. STRING. The headers and body of an email message. 3707 HashData 3708 Zero or more. Hash(es) associated with this email message. See 3709 Section 3.26. 3711 SignatureData 3712 Zero or more. Signature(s) associated with this email message. 3713 See Section 3.27. 3715 The attribute of the EmailData class is: 3717 observable-id 3718 Optional. ID. See Section 3.3.2. 3720 3.22. Record Class 3722 The Record class is a container class for log and audit data that 3723 provides supportive information about the events in an incident. The 3724 source of this data will often be the output of monitoring tools. 3725 These logs substantiate the activity described in the document. 3727 +------------------------+ 3728 | Record | 3729 +------------------------+ 3730 | ENUM restriction |<>--{1..*}--[ RecordData ] 3731 | STRING ext-restriction | 3732 +------------------------+ 3734 Figure 45: Record Class 3736 The aggregate classes of the Record class are: 3738 RecordData 3739 One or more. Log or audit data generated by a particular tool. 3740 Separate instances of the RecordData class SHOULD be used for each 3741 type of log. See Section 3.22.1. 3743 The attributes of the Record class are: 3745 restriction 3746 Optional. ENUM. See Section 3.3.1. 3748 ext-restriction 3749 Optional. STRING. A means by which to extend the restriction 3750 attribute. See Section 5.1.1. 3752 3.22.1. RecordData Class 3754 The RecordData class describes or references log or audit data from a 3755 given type of tool and provides a means to annotate the output. 3757 +------------------------+ 3758 | RecordData | 3759 +------------------------+ 3760 | ENUM restriction |<>--{0..1}--[ DateTime ] 3761 | STRING ext-restriction |<>--{0..*}--[ Description ] 3762 | ID observable-id |<>--{0..1}--[ Application ] 3763 | |<>--{0..*}--[ RecordPattern ] 3764 | |<>--{0..*}--[ RecordItem ] 3765 | |<>--{0..*}--[ URL ] 3766 | |<>--{0..*}--[ FileData ] 3767 | |<>--{0..*}-- 3768 | | [ WindowsRegistryKeysModified ] 3769 | |<>--{0..*}--[ CertificateData ] 3770 | |<>--{0..*}--[ AdditionalData ] 3771 +------------------------+ 3773 Figure 46: The RecordData Class 3775 The aggregate classes of the RecordData class are: 3777 DateTime 3778 Zero or one. DATETIME. A timestamp of the data found in the 3779 RecordItem or URL classes. 3781 Description 3782 Zero or more. ML_STRING. A free-form text description of the 3783 data provided in the RecordItem or URL classes. 3785 Application 3786 Zero or one. SOFTWARE. Identifies the tool used to generate the 3787 data in the RecordItem or URL classes. 3789 RecordPattern 3790 Zero or more. A search string to precisely find the relevant data 3791 in the RecordItem or URL classes. See Section 3.22.2. 3793 RecordItem 3794 Zero or more. EXTENSION. Log, audit, or forensic data to support 3795 the conclusions made during the course of analyzing the incident. 3797 URL 3798 Zero or more. URL. A URL reference to a log or audit data. 3800 FileData 3801 Zero or one. The files involved in the incident. See 3802 Section 3.25. 3804 WindowsRegistryKeysModified 3805 Zero or more. The registry keys that were involved in the 3806 incident. See Section 3.23. 3808 CertificateData 3809 Zero or more. The certificates that were involved in the 3810 incident. See Section 3.24. 3812 AdditionalData 3813 Zero or more. EXTENSION. An extension mechanism for data not 3814 explicitly represented in the data model. 3816 At least one of the following classes MUST be present: RecordItem, 3817 URL, FileData, WindowsRegistryKeysModified, CertificateData or 3818 AdditionalData. 3820 The attributes of the RecordData class are: 3822 restriction 3823 Optional. ENUM. See Section 3.3.1. 3825 ext-restriction 3826 Optional. STRING. A means by which to extend the restriction 3827 attribute. See Section 5.1.1. 3829 observable-id 3830 Optional. ID. See Section 3.3.2. 3832 3.22.2. RecordPattern Class 3834 The RecordPattern class describes where in the log data provided or 3835 referenced in RecordData class relevant information can be found. It 3836 provides a way to reference subsets of information, identified by a 3837 pattern, in a large log file, audit trail, or forensic data. 3839 +-----------------------+ 3840 | RecordPattern | 3841 +-----------------------+ 3842 | STRING | 3843 | | 3844 | ENUM type | 3845 | STRING ext-type | 3846 | INTEGER offset | 3847 | ENUM offsetunit | 3848 | STRING ext-offsetunit | 3849 | INTEGER instance | 3850 +-----------------------+ 3852 Figure 47: The RecordPattern Class 3854 The content of the class is of type STRING and specifies a search 3855 pattern. 3857 The attributes of the RecordPattern class are: 3859 type 3860 Required. ENUM. Describes the type of pattern being specified in 3861 the element content. The default is "regex". These values are 3862 maintained in the "RecordPattern-type" IANA registry per 3863 Section 10.2. 3865 1. regex. regular expression as defined by POSIX Extended 3866 Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX]. 3868 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3869 type. 3871 3. xpath. XML Path (XPath) [W3C.XPATH] 3873 4. ext-value. A value used to indicate that this attribute is 3874 extended and the actual value is provided using the 3875 corresponding ext-* attribute. See Section 5.1.1. 3877 ext-type 3878 Optional. STRING. A means by which to extend the type attribute. 3879 See Section 5.1.1. 3881 offset 3882 Optional. INTEGER. Amount of units (determined by the offsetunit 3883 attribute) to seek into the RecordItem data before matching the 3884 pattern. 3886 offsetunit 3887 Optional. ENUM. Describes the units of the offset attribute. 3888 The default is "line". These values are maintained in the 3889 "RecordPattern-offsetunit" IANA registry per Section 10.2. 3891 1. line. Offset is a count of lines. 3893 2. byte. Offset is a count of bytes. 3895 3. ext-value. A value used to indicate that this attribute is 3896 extended and the actual value is provided using the 3897 corresponding ext-* attribute. See Section 5.1.1. 3899 ext-offsetunit 3900 Optional. STRING. A means by which to extend the offsetunit 3901 attribute. See Section 5.1.1. 3903 instance 3904 Optional. INTEGER. Number of times to apply the specified 3905 pattern. 3907 3.23. WindowsRegistryKeysModified Class 3909 The WindowsRegistryKeysModified class describes Windows operating 3910 system registry keys and the operations that were performed on them. 3911 This class was derived from [RFC5901]. 3913 +-----------------------------+ 3914 | WindowsRegistryKeysModified | 3915 +-----------------------------+ 3916 | ID observable-id |<>--{1..*}--[ Key ] 3917 +-----------------------------+ 3919 Figure 48: The WindowsRegistryKeysModified Class 3921 The aggregate classes of the WindowsRegistryKeysModified class are: 3923 Key 3924 One or more. The Window registry key. See Section 3.23.1. 3926 The attribute of the WindowsRegistryKeysModified class is: 3928 observable-id 3929 Optional. ID. See Section 3.3.2. 3931 3.23.1. Key Class 3933 The Key class describes a Windows operating system registry key name 3934 and value pair, and the operation performed on it. 3936 +---------------------------+ 3937 | Key | 3938 +---------------------------+ 3939 | ENUM registryaction |<>----------[ KeyName ] 3940 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] 3941 | ID observable-id | 3942 +---------------------------+ 3944 Figure 49: The Key Class 3946 The aggregate classes of the Key class are: 3948 KeyName 3949 One. STRING. The name of a Windows operating system registry key 3950 (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3952 KeyValue 3953 Zero or one. STRING. The value of the registry key identified in 3954 the KeyName class encoded per the .reg file format [KB310516]. 3956 The attributes of the Key class are: 3958 registryaction 3959 Optional. ENUM. The type of action taken on the registry key. 3960 These values are maintained in the "Key-registryaction" IANA 3961 registry per Section 10.2. 3963 1. add-key. Registry key added. 3965 2. add-value. Value added to a registry key. 3967 3. delete-key. Registry key deleted. 3969 4. delete-value. Value deleted from a registry key. 3971 5. modify-key. Registry key modified. 3973 6. modify-value. Value modified in a registry key. 3975 7. ext-value. A value used to indicate that this attribute is 3976 extended and the actual value is provided using the 3977 corresponding ext-* attribute. See Section 5.1.1. 3979 ext-registryaction 3980 Optional. STRING. A means by which to extend the registryaction 3981 attribute. See Section 5.1.1. 3983 observable-id 3984 Optional. ID. See Section 3.3.2. 3986 3.24. CertificateData Class 3988 The CertificateData class describes X.509 certificates. 3990 +------------------------+ 3991 | CertificateData | 3992 +------------------------+ 3993 | ENUM restriction |<>--{1..*}--[ Certificate ] 3994 | STRING ext-restriction | 3995 | ID observable-id | 3996 +------------------------+ 3998 Figure 50: The CertificateData Class 4000 The aggregate classes of the CertificateData class are: 4002 Certificate 4003 One or more. A description of an X.509 certificate or certificate 4004 chain. See Section 3.24.1. 4006 The attributes of the CertificateData class are: 4008 restriction 4009 Optional. ENUM. See Section 3.3.1. 4011 ext-restriction 4012 Optional. STRING. A means by which to extend the restriction 4013 attribute. See Section 5.1.1. 4015 observable-id 4016 Optional. ID. See Section 3.3.2. 4018 3.24.1. Certificate Class 4020 The Certificate class describes a given X.509 certificate or 4021 certificate chain. 4023 +--------------------------+ 4024 | Certificate | 4025 +--------------------------+ 4026 | ID observable-id |<>----------[ ds:X509Data ] 4027 | |<>--{0..*}--[ Description ] 4028 +--------------------------+ 4030 Figure 51: The Certificate Class 4032 The aggregate classes of the Certificate class are: 4034 ds:X509Data 4035 One. A given X.509 certificate or chain. See Section 4.4.4 of 4036 [W3C.XMLSIG]. 4038 Description 4039 Zero or more. ML_STRING. A free-form text description explaining 4040 the context of this certificate. 4042 The attributes of the Certificate class are: 4044 observable-id 4045 Optional. ID. See Section 3.3.2. 4047 3.25. FileData Class 4049 The FileData class describes a file or set of files. 4051 +------------------------+ 4052 | FileData | 4053 +------------------------+ 4054 | ENUM restriction |<>--{1..*}--[ File ] 4055 | STRING ext-restriction | 4056 | ID observable-id | 4057 +------------------------+ 4059 Figure 52: The FileData Class 4061 The aggregate classes of the FileData class are: 4063 File 4064 One or more. A description of a file. See Section 3.25.1. 4066 The attributes of the FileData class are: 4068 restriction 4069 Optional. ENUM. See Section 3.3.1. 4071 ext-restriction 4072 Optional. STRING. A means by which to extend the restriction 4073 attribute. See Section 5.1.1. 4075 observable-id 4076 Optional. ID. See Section 3.3.2. 4078 3.25.1. File Class 4080 The File class describes a file; its associated meta data; and 4081 cryptographic hashes and signatures applied to it. 4083 +-----------------------+ 4084 | File | 4085 +-----------------------+ 4086 | ID observable-id |<>--{0..1}--[ FileName ] 4087 | |<>--{0..1}--[ FileSize ] 4088 | |<>--{0..1}--[ FileType ] 4089 | |<>--{0..*}--[ URL ] 4090 | |<>--{0..1}--[ HashData ] 4091 | |<>--{0..1}--[ SignatureData ] 4092 | |<>--{0..1}--[ AssociatedSoftware ] 4093 | |<>--{0..*}--[ FileProperties ] 4094 +-----------------------+ 4096 Figure 53: The File Class 4098 The aggregate classes of the File class are: 4100 FileName 4101 Zero or One. STRING. The name of the file. 4103 FileSize 4104 Zero or One. INTEGER. The size of the file in bytes. 4106 FileType 4107 Zero or One. STRING. The type of file per the IANA Media Types 4108 Registry [IANA.Media]. Valid values correspond to the text in the 4109 "Template" column (e.g., "application/pdf"). 4111 URL 4112 Zero or more. URL. A URL reference to the file. 4114 HashData 4115 Zero or One. Hash(es) associated with this file. See 4116 Section 3.26. 4118 SignatureData 4119 Zero or One. Signature(s) associated with this file. See 4120 Section 3.27. 4122 AssociatedSoftware 4123 Zero or One. SOFTWARE. The software application or operating 4124 system to which this file belongs or by which it can be processed. 4126 FileProperties 4127 Zero or more. EXTENSION. Mechanism by which to extend the data 4128 model to describe properties of the file. 4130 The attributes of the File class are: 4132 observable-id 4133 Optional. ID. See Section 3.3.2. 4135 3.26. HashData Class 4137 The HashData class describes different types of hashes on an given 4138 object (e.g., file, part of a file, email). 4140 +--------------------------+ 4141 | HashData | 4142 +--------------------------+ 4143 | ENUM scope |<>--{0..1}--[ HashTargetID ] 4144 | |<>--{0..*}--[ Hash ] 4145 | |<>--{0..*}--[ FuzzyHash ] 4146 +--------------------------+ 4148 Figure 54: The HashData Class 4150 The aggregate classes of the HashData class are: 4152 HashTargetID 4153 Zero or One. STRING. An identifier that references a subset of 4154 the object being hashed. The semantics of this identifier are 4155 specified by the scope attribute. 4157 Hash 4158 Zero or more. The hash of an object. See Section 3.26.1. 4160 FuzzyHash 4161 Zero or more. The fuzzy hash of an object. See Section 3.26.2. 4163 At least one instance of either Hash or FuzzyHash MUST be present. 4165 The attribute of the HashData class is: 4167 scope 4168 Required. ENUM. Describes on which part of the object the hash 4169 should be applied. These values are maintained in the "HashData- 4170 scope" IANA registry per Section 10.2. 4172 1. file-contents. A hash computed over the entire contents of a 4173 file. 4175 2. file-pe-section. A hash computed on a given section of a 4176 Windows Portable Executable (PE) file. If set to this value, 4177 the HashTargetID class MUST identify the section being hashed. 4178 A section is identified by an ordinal number (starting at 1) 4179 corresponding to the the order in which the given section 4180 header was defined in the Section Table of the PE file header. 4182 3. file-pe-iat. A hash computed on the Import Address 4183 Table (IAT) of a PE file. As IAT hashes are often tool 4184 dependent, if this value is set, the Application class of 4185 either the Hash or FuzzyHash classes MUST specify the tool 4186 used to generate the hash. 4188 4. file-pe-resource. A hash computed on a given resource in a PE 4189 file. If set to this value, the HashTargetID class MUST 4190 identify the resource being hashed. A resource is identified 4191 by an ordinal number (starting at 1) corresponding to the 4192 order in which the given resource is declared in the Resource 4193 Directory of the Data Dictionary in the PE file header. 4195 5. file-pdf-object. A hash computed on a given object in a 4196 Portable Document Format (PDF) file. If set to this value, 4197 the HashTargetID class MUST identify the object being hashed. 4198 This object is identified by its offset in the PDF file. 4200 6. email-hash. A hash computed over the headers and body of an 4201 email message. 4203 7. email-headers-hash. A hash computed over all of the headers 4204 of an email message. 4206 8. email-body-hash. A hash computed over the body of an email 4207 message. 4209 9. ext-value. A value used to indicate that this attribute is 4210 extended and the actual value is provided using the 4211 corresponding ext-* attribute. See Section 5.1.1. 4213 ext-scope 4214 Optional. STRING. A means by which to extend the scope 4215 attribute. See Section 5.1.1. 4217 3.26.1. Hash Class 4219 The Hash class describes a cryptographic hash value; the algorithm 4220 and application used to generate it; and the canonicalization method 4221 applied to the object being hashed. 4223 +----------------+ 4224 | Hash | 4225 +----------------+ 4226 | |<>----------[ ds:DigestMethod ] 4227 | |<>----------[ ds:DigestValue ] 4228 | |<>--{0..1}--[ ds:CanonicalizationMethod ] 4229 | |<>--{0..1}--[ Application ] 4230 +----------------+ 4232 Figure 55: The Hash Class 4234 The aggregate classes of the Hash class are: 4236 ds:DigestMethod 4237 One. The hash algorithm used to generate the hash. See 4238 Section 4.3.3.5 of [W3C.XMLSIG] 4240 ds:DigestValue 4241 One. The computed hash value. See Section 4.3.3.6 of 4242 [W3C.XMLSIG]. 4244 ds:CanonicalizationMethod 4245 Zero or one. The canonicalization method used on the object being 4246 hashed. See Section 4.3.1 of [W3C.XMLSIG]. 4248 Application 4249 Zero or One. SOFTWARE. The application used to calculate the 4250 hash. 4252 The HashData class has no attributes. 4254 3.26.2. FuzzyHash Class 4256 The FuzzyHash class describes a fuzzy hash and the application used 4257 to generate it. 4259 +--------------------------+ 4260 | FuzzyHash | 4261 +--------------------------+ 4262 | |<>--{1..*}--[ FuzzyHashValue ] 4263 | |<>--{0..1}--[ Application ] 4264 | |<>--{0..*}--[ AdditionalData ] 4265 +--------------------------+ 4267 Figure 56: The FuzzyHash Class 4269 The aggregate classes of the FuzzyHash class are: 4271 FuzzyHashValue 4272 One or more. EXTENSION. The computed fuzzy hash value. 4274 Application 4275 Zero or one. SOFTWARE. The application used to calculate the 4276 hash. 4278 AdditionalData 4279 Zero or more. EXTENSION. Mechanism by which to extend the data 4280 model. 4282 The FuzzyData class has no attributes. 4284 3.27. SignatureData Class 4286 The SignatureData class describes different types of digital 4287 signatures on an object. 4289 +--------------------------+ 4290 | SignatureData | 4291 +--------------------------+ 4292 | |<>--{1..*}--[ ds:Signature ] 4293 +--------------------------+ 4295 Figure 57: The SignatureData Class 4297 The aggregate class of the SignatureData class is: 4299 Signature 4300 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] 4302 The SignatureData class has no attributes. 4304 3.28. IndicatorData Class 4306 The IndicatorData class describes cyber indicators and meta-data 4307 associated with them. 4309 +--------------------------+ 4310 | IndicatorData | 4311 +--------------------------+ 4312 | |<>--{1..*}--[ Indicator ] 4313 +--------------------------+ 4315 Figure 58: The IndicatorData Class 4317 The aggregate class of the IndicatorData class is: 4319 Indicator 4320 One or more. A description of an indicator. See Section 3.29. 4322 The IndicatorData class has no attributes. 4324 3.29. Indicator Class 4326 The Indicator class describes a cyber indicator. An indicator 4327 consists of observable features and phenomenon that aid in the 4328 forensic or proactive detection of malicious activity; and associated 4329 meta-data. An indicator can be described outright; by referencing or 4330 composing previously defined indicators; or by referencing 4331 observables described in the incident report found in this document. 4333 +------------------------+ 4334 | Indicator | 4335 +------------------------+ 4336 | ENUM restriction |<>----------[ IndicatorID ] 4337 | STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ] 4338 | |<>--{0..*}--[ Description ] 4339 | |<>--{0..1}--[ StartTime ] 4340 | |<>--{0..1}--[ EndTime ] 4341 | |<>--{0..1}--[ Confidence ] 4342 | |<>--{0..*}--[ Contact ] 4343 | |<>--{0..1}--[ Observable ] 4344 | |<>--{0..1}--[ ObservableReference ] 4345 | |<>--{0..1}--[ IndicatorExpression ] 4346 | |<>--{0..1}--[ IndicatorReference ] 4347 | |<>--{0..*}--[ NodeRole ] 4348 | |<>--{0..*}--[ AttackPhase ] 4349 | |<>--{0..*}--[ Reference ] 4350 | |<>--{0..*}--[ AdditionalData ] 4351 +------------------------+ 4353 Figure 59: The Indicator Class 4355 The aggregate classes of the Indicator class are: 4357 IndicatorID 4358 One. An identifier for this indicator. See Section 3.29.1 4360 AlternativeIndicatorID 4361 Zero or more. An alternative identifier for this indicator. See 4362 Section 3.29.2 4364 Description 4365 Zero or more. ML_STRING. A free-form text description of the 4366 indicator. 4368 StartTime 4369 Zero or one. DATETIME. A timestamp of the start of the time 4370 period during which this indicator is valid. 4372 EndTime 4373 Zero or one. DATETIME. A timestamp of the end of the time period 4374 during which this indicator is valid. 4376 Confidence 4377 Zero or one. An estimate of the confidence in the quality of the 4378 indicator. See Section 3.12.5. 4380 Contact 4381 Zero or more. Contact information for this indicator. See 4382 Section 3.9. 4384 Observable 4385 Zero or one. An observable feature or phenomenon of this 4386 indicator. See Section 3.29.3. 4388 ObservableReference 4389 Zero or one. A reference to an observable feature or phenomenon 4390 defined elsewhere in the document. See Section 3.29.6. 4392 IndicatorExpression 4393 Zero or one. A composition of observables. See Section 3.29.4. 4395 IndicatorReference 4396 Zero or one. A reference to an indicator. See Section 3.29.7. 4398 NodeRole 4399 Zero or more. The role of the system in the attack should this 4400 indicator be matched to it. See Section 3.18.2. 4402 AttackPhase 4403 Zero or more. The phase in an attack lifecycle during which this 4404 indicator might be seen. See Section 3.29.8. 4406 Reference 4407 Zero or more. A reference to additional information relevant to 4408 this indicator. See Section 3.11.1. 4410 AdditionalData 4411 Zero or more. EXTENSION. Mechanism by which to extend the data 4412 model. 4414 The Indicator class MUST have exactly one instance of an Observable, 4415 IndicatorExpression, ObservableReference, or IndicatorReference 4416 class. 4418 The StartTime and EndTime classes can be used to define an interval 4419 during which the indicator is valid. If both classes are present, 4420 the indicator is consider valid only during the described interval. 4421 If neither class is provided, the indicator is considered valid 4422 during any time interval. If only a StartTime is provided, the 4423 indicator is valid anytime after this timestamp. If only an EndTime 4424 is provided, the indicator is valid anytime prior to this timestamp. 4426 The attributes of the Indicator class are: 4428 restriction 4429 Optional. ENUM. See Section 3.3.1. 4431 ext-restriction 4432 Optional. STRING. A means by which to extend the restriction 4433 attribute. See Section 5.1.1. 4435 3.29.1. IndicatorID Class 4437 The IndicatorID class identifies an indicator with a globally unique 4438 identifier. The combination of the name and version attributes, and 4439 the element content form this identifier. Indicators generated by 4440 given CSIRT MUST NOT reuse the same value unless they are referencing 4441 the same indicator. 4443 +------------------+ 4444 | IndicatorID | 4445 +------------------+ 4446 | ID | 4447 | | 4448 | STRING name | 4449 | STRING version | 4450 +------------------+ 4452 Figure 60: The IndicatorID Class 4454 The content of the class is of type ID and specifies an identifier 4455 for an indicator. 4457 The attributes of the IndicatorID class are: 4459 name 4460 Required. STRING. An identifier describing the CSIRT that 4461 created the indicator. In order to have a globally unique CSIRT 4462 name, the fully qualified domain name associated with the CSIRT 4463 MUST be used. This format is identical to the IncidentID@name 4464 attribute in Section 3.4. 4466 version 4467 Required. STRING. A version number of an indicator. 4469 3.29.2. AlternativeIndicatorID Class 4471 The AlternativeIndicatorID class lists alternative identifiers for an 4472 indicator. 4474 +-------------------------+ 4475 | AlternativeIndicatorID | 4476 +-------------------------+ 4477 | ENUM restriction |<>--{1..*}--[ IndicatorReference ] 4478 | STRING ext-restriction | 4479 +-------------------------+ 4481 Figure 61: The AlternativeIndicatorID Class 4483 The aggregate class of the AlternativeIndicatorID class is: 4485 IndicatorReference 4486 One or more. A reference to an indicator. See Section 3.29.7 4488 The attributes of the AlternativeIndicatorID class are: 4490 restriction 4491 Optional. ENUM. See Section 3.3.1. 4493 ext-restriction 4494 Optional. STRING. A means by which to extend the restriction 4495 attribute. See Section 5.1.1. 4497 3.29.3. Observable Class 4499 The Observable class describes a feature and phenomenon that can be 4500 observed or measured for the purposes of detecting malicious 4501 behavior. 4503 +------------------------+ 4504 | Observable | 4505 +------------------------+ 4506 | ENUM restriction |<>--{0..1}--[ Address ] 4507 | STRING ext-restriction |<>--{0..1}--[ DomainData ] 4508 | |<>--{0..1}--[ Service ] 4509 | |<>--{0..1}--[ EmailData ] 4510 | |<>--{0..1}--[ Service ] 4511 | |<>--{0..1}--[ WindowsRegistryKeysModified ] 4512 | |<>--{0..1}--[ FileData ] 4513 | |<>--{0..1}--[ CertificateData ] 4514 | |<>--{0..1]--[ RegistryHandle ] 4515 | |<>--{0..1}--[ RecordData ] 4516 | |<>--{0..1}--[ EventData ] 4517 | |<>--{0..1}--[ Incident ] 4518 | |<>--{0..1}--[ Expectation ] 4519 | |<>--{0..1}--[ Reference ] 4520 | |<>--{0..1}--[ Assessment ] 4521 | |<>--{0..1}--[ HistoryItem ] 4522 | |<>--{0..1}--[ BulkObservable ] 4523 | |<>--{0..*}--[ AdditionalData ] 4524 +------------------------+ 4526 Figure 62: The Observable Class 4528 The aggregate classes of the Observable class are: 4530 Address 4531 Zero or one. An Address observable. See Section 3.18.1. 4533 DomainData 4534 Zero or one. A DomainData observable. See Section 3.19. 4536 Service 4537 Zero or one. A Service observable. See Section 3.20. 4539 EmailData 4540 Zero or one. A EmailData observable. See Section 3.21. 4542 WindowsRegistryKeysModified 4543 Zero or one. A WindowsRegistryKeysModified observable. See 4544 Section 3.23. 4546 FileData 4547 Zero or one. A FileData observable. See Section 3.25. 4549 CertificateData 4550 Zero or one. A CertificateData observable. See Section 3.24. 4552 RegistryHandle 4553 Zero or one. A RegistryHandle observable. See Section 3.9.1. 4555 RecordData 4556 Zero or one. A RecordData observable. See Section 3.22.1. 4558 EventData 4559 Zero or one. An EventData observable. See Section 3.14. 4561 Incident 4562 Zero or one. An Incident observable. See Section 3.2. 4564 EventData 4565 Zero or one. An EventData observable. See Section 3.14. 4567 Expectation 4568 Zero or one. An Expectation observable. See Section 3.15. 4570 Reference 4571 Zero or one. A Reference observable. See Section 3.11.1. 4573 Assessment 4574 Zero or one. An Assessment observable. See Section 3.12. 4576 HistoryItem 4577 Zero or one. A HistoryItem observable. See Section 3.13.1. 4579 BulkObservable 4580 Zero or one. A bulk list of observables. See Section 3.29.3.1. 4582 AdditionalData 4583 Zero or more. EXTENSION. Mechanism by which to extend the data 4584 model. 4586 The Observable class MUST have exactly one of the possible child 4587 classes. 4589 The attributes of the Observable class are: 4591 restriction 4592 Optional. ENUM. See Section 3.3.1. 4594 ext-restriction 4595 Optional. STRING. A means by which to extend the restriction 4596 attribute. See Section 5.1.1. 4598 3.29.3.1. BulkObservable Class 4600 The BulkObservable class allows the enumeration of a single type of 4601 observables without requiring each one to be encoded individually in 4602 multiple instances of the same class. 4604 The type attribute describes the type of observable listed in the 4605 child BulkObservableList class. The BulkObservableFormat class 4606 optionally provides additional meta-data. 4608 +---------------------------+ 4609 | BulkObservable | 4610 +---------------------------+ 4611 | ENUM type |<>--{0..1}--[ BulkObservableFormat ] 4612 | STRING ext-type |<>----------[ BulkObservableList ] 4613 | |<>--{0..*}--[ AdditionalData ] 4614 +---------------------------+ 4616 Figure 63: The BulkObservable Class 4618 The aggregate classes of the BulkObservable class are: 4620 BulkObservableFormat 4621 Zero or one. Provides additional meta-data about the observables 4622 enumerated in the BulkObservableList class. See 4623 Section 3.29.3.1.1. 4625 BulkObservableList 4626 One. STRING. A list of observables, one per line. Each line is 4627 separated with either a LF character or CR-and-LF characters. The 4628 type attribute specifies which observables will be listed. 4630 AdditionalData 4631 Zero or more. EXTENSION. Mechanism by which to extend the data 4632 model. 4634 The attributes of the BulkObservable class are: 4636 type 4637 Optional. ENUM. The type of the observable listed in the child 4638 ObservableList class. These values are maintained in the 4639 "BulkObservable-type" IANA registry per Section 10.2. 4641 1. asn. Autonomous System Number (per the Address@category 4642 attribute). 4644 2. atm. Asynchronous Transfer Mode (ATM) address (per the 4645 Address@category attribute). 4647 3. e-mail. Electronic mail address (RFC 822) (per the 4648 Address@category attribute). 4650 4. ipv4-addr. IPv4 host address in dotted-decimal notation 4651 (e.g., 192.0.2.1) (per the Address@category attribute). 4653 5. ipv4-net. IPv4 network address in dotted-decimal notation, 4654 slash, significant bits (e.g., 192.0.2.0/24) (per the 4655 Address@category attribute). 4657 6. ipv4-net-mask. IPv4 network address in dotted-decimal 4658 notation, slash, network mask in dotted-decimal notation 4659 (i.e., 192.0.2.0/255.255.255.0) (per the Address@category 4660 attribute). 4662 7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the 4663 Address@category attribute). 4665 8. ipv6-net. IPv6 network address, slash, significant bits 4666 (e.g., 2001:DB8::/32) (per the Address@category attribute). 4668 9. ipv6-net-mask. IPv6 network address, slash, network mask 4669 (per the Address@category attribute). 4671 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f) 4672 (per the Address@category attribute). 4674 11. site-uri. A URL or URI for a resource (per the 4675 Address@category attribute). 4677 12. domain-name. A fully qualified domain name or part of a 4678 name. (e.g., fqdn.example.com, example.com). 4680 13. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as 4681 a comma separated list (e.g., "fqdn.example.com, 192.0.2.1"). 4683 14. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as 4684 a comma separated list (e.g., "fqdn.example.com, 4685 2001:DB8::3"). 4687 15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a 4688 timestamp (in the DATETIME format) of the resolution (e.g., 4689 "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00"). 4691 16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a 4692 timestamp (in the DATETIME format) of the resolution (e.g., 4693 "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00"). 4695 17. ipv4-port. An IPv4 address, port and protocol tuple (e.g., 4696 192.0.2.1, 80, tcp). The protocol name corresponds to the 4697 "Keyword" column in the [IANA.Protocols] registry. 4699 18. ipv6-port. An IPv6 address, port and protocol tuple (e.g., 4700 2001:DB8::3, 80, tcp). The protocol name corresponds to the 4701 "Keyword" column in the [IANA.Protocols] registry. 4703 19. windows-reg-key. A Microsoft Windows Registry key. 4705 20. file-hash. A file hash. The format of this hash is 4706 described in the Hash class that MUST be present in a sibling 4707 BulkObservableFormat class. 4709 21. email-x-mailer. An X-Mailer field from an email. 4711 22. email-subject. An email subject line. 4713 23. http-user-agent. A User Agent field from an HTTP request 4714 header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) 4715 Gecko/20100101 Firefox/38.0"). 4717 24. http-request-uri. The Request URI from an HTTP request 4718 header. 4720 25. mutex. The name of a system mutex. 4722 26. file-path. A file path (e.g., "/tmp/local/file", 4723 "c:\windows\system32\file.sys") 4725 27. user-name. A username. 4727 28. ext-value. A value used to indicate that this attribute is 4728 extended and the actual value is provided using the 4729 corresponding ext-* attribute. See Section 5.1.1. 4731 ext-type 4732 Optional. STRING. A means by which to extend the type attribute. 4733 See Section 5.1.1. 4735 3.29.3.1.1. BulkObservableFormat Class 4737 The ObservableFormat class specifies meta-data about the format of an 4738 observable enumerated in a sibling BulkObservableList class. 4740 +---------------------------+ 4741 | BulkObservableFormat | 4742 +---------------------------+ 4743 | |<>--{0..1}--[ Hash ] 4744 | |<>--{0..*}--[ AdditionalData ] 4745 +---------------------------+ 4747 Figure 64: The BulkObservableFormat Class 4749 The aggregate classes of the BulkObservableFormat class are: 4751 Hash 4752 Zero or one. Describes the format of a hash. See Section 3.26.1. 4754 AdditionalData 4755 Zero or more. EXTENSION. Mechanism by which to extend the data 4756 model. 4758 The BulkObservableFormat class has no attributes. 4760 Either Hash or AdditionalData MUST be present. 4762 3.29.4. IndicatorExpression Class 4764 The IndicatorExpression describes an expression composed of observed 4765 phenomenon or features, or indicators. Elements of the expression 4766 can be described directly, reference relevant data from other parts 4767 of a given IODEF document, or reference previously defined 4768 indicators. 4770 All child classes of a given instance of IndicatorExpression form a 4771 boolean algebraic expression where the operator between them is 4772 determined by the operator attribute. 4774 +--------------------------+ 4775 | IndicatorExpression | 4776 +--------------------------+ 4777 | ENUM operator |<>--{0..*}--[ IndicatorExpression ] 4778 | STRING ext-operator |<>--{0..*}--[ Observable ] 4779 | |<>--{0..*}--[ ObservableReference ] 4780 | |<>--{0..*}--[ IndicatorReference ] 4781 | |<>--{0..*}--[ AdditionalData ] 4782 +--------------------------+ 4784 Figure 65: The IndicatorExpression Class 4786 The aggregate classes of the IndicatorExpression class are: 4788 IndicatorExpression 4789 Zero or more. An expression composed of other observables or 4790 indicators. See Section 3.29.4. 4792 Observable 4793 Zero or more. A description of an observable. See 4794 Section 3.29.3. 4796 ObservableReference 4797 Zero or more. A reference to an observable. See Section 3.29.6. 4799 IndicatorReference 4800 Zero or more. A reference to an indicator. See Section 3.29.7. 4802 AdditionalData 4803 Zero or more. EXTENSION. Mechanism by which to extend the data 4804 model. 4806 The attributes of the IndicatorExpression class are: 4808 operator 4809 Optional. ENUM. The operator to be applied between the child 4810 elements. See Section 3.29.5 for parsing guidance. The default 4811 value is "and". These values are maintained in the 4812 "IndicatorExpression-operator" IANA registry per Section 10.2. 4814 1. not. negation operator. 4816 2. and. conjunction operator. 4818 3. or. disjunction operator. 4820 4. xor. exclusive disjunction operator. 4822 ext-operator 4823 Optional. STRING. A means by which to extend the operator 4824 attribute. See Section 5.1.1. 4826 3.29.5. Expressions with IndicatorExpression 4828 Boolean algebraic expressions can be used to specify relationships 4829 between observables and indicator. These expressions are constructed 4830 through the use of the operator attribute and parent-child 4831 relationships in IndicatorExpressions. These expressions should be 4832 parsed as follows: 4834 1. The operator specified by the operator attribute is applied 4835 between each of the child elements of the immediate parent 4836 IndicatorExpression element. If no operator attribute is 4837 specified, it should be assumed to be the conjunction operator 4838 (i.e., operator="and"). 4840 2. A nested IndicatorExpression element with a parent 4841 IndicatorExpression is the equivalent of a parentheses in the 4842 expression. 4844 The following four examples in Figure 66 through Figure 69 illustrate 4845 these parsing rules: 4847 1 : 4848 2 [O1]: .. 4849 3 [O2]: .. 4850 4 : 4852 Equivalent expression: (O1 AND O2) 4854 Figure 66: Nested elements in an IndicatorExpression without an 4855 operator attribute specified 4857 1 : 4858 2 [O1]: .. 4859 3 [O2]: .. 4860 4 : 4862 Equivalent expression: (O1 OR O2) 4864 Figure 67: Nested elements in an IndicatorExpression with an operator 4865 attribute specified 4867 1 : 4868 2 : 4869 2 [O1]: .. 4870 3 [O2]: .. 4871 4 : 4872 2 [O3]: .. 4873 4 : 4875 Equivalent expression: ((O1 OR O2) OR O3) 4877 Figure 68: Nested elements with a recursive IndicatorExpression with 4878 an operator attribute specified 4880 1 : 4881 2 : 4882 2 [O1]: .. 4883 3 [O2]: .. 4884 4 : 4885 4 : 4887 Equivalent expression: (NOT (O1 AND O2)) 4889 Figure 69: A recursive IndicatorExpression with an operator attribute 4890 specified 4892 Invalid algebraic expressions while valid XML, MUST NOT be specified. 4894 3.29.6. ObservableReference Class 4896 The ObservableReference describes a reference to an observable 4897 feature or phenomenon described elsewhere in the document. 4899 The ObservableReference class has no content. 4901 +-------------------------+ 4902 | ObservableReference | 4903 +-------------------------+ 4904 | IDREF uid-ref | 4905 +-------------------------+ 4907 Figure 70: The ObservableReference Class 4909 The ObservableReference class has no content. 4911 The attribute of the ObservableReference class is: 4913 uid-ref 4914 Required. IDREF. An identifier that serves as a reference to a 4915 class in the IODEF document. The referenced class will have this 4916 identifier set in its observable-id attribute. 4918 3.29.7. IndicatorReference Class 4920 The IndicatorReference describes a reference to an indicator. This 4921 reference may be to an indicator described in this IODEF document or 4922 in a previously exchanged IODEF document. 4924 The IndicatorReference class has no content. 4926 +--------------------------+ 4927 | IndicatorReference | 4928 +--------------------------+ 4929 | IDREF uid-ref | 4930 | STRING euid-ref | 4931 | STRING version | 4932 +--------------------------+ 4934 Figure 71: The IndicatorReference Class 4936 The attributes of the IndicatorReference class are: 4938 uid-ref 4939 Optional. IDREF. An identifier that references an Indicator 4940 class in the IODEF document. The referenced Indicator class will 4941 have this identifier set in its IndicatorID class. 4943 euid-ref 4944 Optional. STRING. An identifier that references an IndicatorID 4945 not in this IODEF document. 4947 version 4948 Optional. STRING. A version number of an indicator. 4950 Either the uid-ref or the euid-ref attribute MUST be set. 4952 3.29.8. AttackPhase Class 4954 The AttackPhase class describes a particular phase of an attack 4955 lifecycle. 4957 +------------------------+ 4958 | AttackPhase | 4959 +------------------------+ 4960 | |<>--{0..*}--[ AttackPhaseID ] 4961 | |<>--{0..*}--[ URL ] 4962 | |<>--{0..*}--[ Description ] 4963 | |<>--{0..*}--[ AdditionalData ] 4964 +------------------------+ 4966 Figure 72: AttackPhase Class 4968 The aggregate classes of the AttackPhase class are: 4970 AttackPhaseID 4971 Zero or more. STRING. An identifier for the phase of the attack. 4973 URL 4974 Zero or more. URL. A URL to a resource describing this phase of 4975 the attack. 4977 Description 4978 Zero or more. ML_STRING. A free-form text description of this 4979 phase of the attack. 4981 AdditionalData 4982 Zero or more. EXTENSION. A mechanism by which to extend the data 4983 model. 4985 AttackPhase MUST have at least one instance of a child class. 4987 The AttackPhase class has no attributes. 4989 4. Processing Considerations 4991 This section provides additional requirements and guidance on 4992 creating and processing IODEF documents. 4994 4.1. Encoding 4996 Every IODEF document MUST begin with an XML declaration and MUST 4997 specify the XML version used. The character encoding MUST also be 4998 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16 4999 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD 5000 NOT be used. The IODEF conforms to all XML data encoding conventions 5001 and constraints. 5003 The XML declaration with no character encoding will read as follows: 5005 5007 When a character encoding is specified, the XML declaration will read 5008 as follows: 5010 5012 Where "charset" is the name of the character encoding as registered 5013 with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. 5015 The following characters have special meaning in XML and MUST be 5016 escaped with their entity reference equivalent: "&", "<", ">", "\"" 5017 (double quotation mark), and "'" (apostrophe). These entity 5018 references are "&", "<", ">", """, and "'" 5019 respectively. 5021 4.2. IODEF Namespace 5023 The IODEF schema declares a namespace of 5024 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 5025 Each IODEF document MUST include a valid reference to the IODEF 5026 schema using the "xsi:schemaLocation" attribute. An example of such 5027 a declaration would look as follows: 5029 5034 4.3. Validation 5036 IODEF documents MUST be well-formed XML. It is RECOMMENDED that 5037 recipients validate the document against the schema described in 5038 Section 8. However, mere conformance to this schema is not 5039 sufficient for a semantically valid IODEF document. The text of 5040 Section 3 describes further formatting and constraints; some that 5041 cannot be conveniently encoded in the schema. These MUST must also 5042 be considered by an IODEF implementation. Furthermore, the 5043 enumerated values present in this document are a static list that 5044 will be incomplete over time as select attributes can be extended by 5045 a corresponding IANA registry per Section 10.2. Therefore, the 5046 schema to validate a given document MUST be dynamically generated 5047 from these registry values. 5049 4.4. Incompatibilities with v1 5051 The IODEF data model in this document makes a number of changes to 5052 [RFC5070]. These changes were largely additive -- classes and 5053 enumerated values were added. However, some incompatibilities 5054 between [RFC5070] and this new specification were introduced. These 5055 incompatibilities are as follows: 5057 o The IODEF-Document@version attribute is set to "2.0". 5059 o Attributes with enumerated values can now also be extended with 5060 IANA registries. 5062 o All iodef:MLStringType classes use xml:lang. IODEF-Document also 5063 uses xml:lang. 5065 o The Service@ip_protocol attribute was renamed to @ip-protocol. 5067 o The Node/NodeName class was removed in favor of representing 5068 domain names with Node/DomainData/Name class. The Node/DataTime 5069 class was also removed so that the Node/DomainData/ 5070 DateDomainWasChecked class can represent the time at which the 5071 name to address resolution occurred. 5073 o The Node/NodeRole class was moved to System/NodeRole. 5075 o The Reference class is now defined by [RFC-ENUM]. 5077 o The data previously represented in the Impact class is now in the 5078 SystemImpact and IncidentCategory classes. The Impact class has 5079 been removed. 5081 o The semantics of Counter@type are now represented in Counter@unit. 5083 o The IODEF-Document@formatid attribute has been renamed to @format- 5084 id. 5086 o Incident/ReportTime is no longer mandatory. However, 5087 GenerationTime is. 5089 o The Fax class was removed and is now represented by a generic 5090 Telephone class. 5092 o The Telephone, Email and PostalAddress classes were redefined from 5093 improved internationalization. 5095 5. Extending the IODEF 5097 In order to support the dynamic nature of security operations, the 5098 IODEF data model will need to continue to evolve. This section 5099 discusses how new data elements can be incorporated into the IODEF. 5100 There is support to add additional enumerated values and new classes. 5101 Adding additional attributes to existing classes is not supported. 5103 These extension mechanisms are designed so that adding new data 5104 elements is possible without requiring a modifications to this 5105 document. Extensions can be implemented publicly or privately. With 5106 proven value, well documented extensions can be incorporated into 5107 future versions of the specification. 5109 5.1. Extending the Enumerated Values of Attributes 5111 Additional enumerated values can be added to select attributes either 5112 through the use of specially marked attributes with the "ext-" prefix 5113 or through a set of corresponding IANA registries. The former 5114 approach allows for the extension to remain private. The latter 5115 approach is public. 5117 5.1.1. Private Extension of Enumerated Values 5119 The data model supports adding new enumerated values to an attribute 5120 without public registration. For each attribute that supports this 5121 extension technique, there is a corresponding attribute in the same 5122 element whose name is identical but with a prefix of "ext-". This 5123 special attribute is referred to as the extension attribute. The 5124 attribute being extended is referred to as an extensible attribute. 5125 For example, an extensible attribute named "foo" will have a 5126 corresponding extension attribute named "ext-foo". An element may 5127 have many extensible attributes. 5129 In addition to a corresponding extension attribute, each extensible 5130 attribute has "ext-value" as one its possible enumerated values. 5131 Selection of this particular value in an extensible attribute signals 5132 that the extension attribute contains data. Otherwise, this "ext- 5133 value" value has no meaning. 5135 In order to add a new enumerated value to an extensible attribute, 5136 the value of this attribute MUST be set to "ext-value", and the new 5137 desired value MUST be set in the corresponding extension attribute. 5138 For example, extending the type attribute of the SystemImpact class 5139 would look as follows: 5141 5143 A given extension attribute MUST NOT be set unless the corresponding 5144 extensible attribute has been set to "ext-value". 5146 5.1.2. Public Extension of Enumerated Values 5148 The data model also supports publicly extending select enumerated 5149 attributes. A new entry can be added by registering a new entry in 5150 the appropriate IANA registry. Section 10.2 provides a mapping 5151 between the extensible attributes and their corresponding registry. 5152 Section 4.3 discusses the XML Validation implications of this type of 5153 extension. All extensible attributes that support private extensions 5154 also support public extensions. 5156 5.2. Extending Classes 5158 Classes of the EXTENSION (iodef:ExtensionType) type can extend the 5159 data model. They provide the ability to have new atomic or XML- 5160 encoded data elements in all of the top-level classes of the Incident 5161 class and a few of the complex subordinate classes. As there are 5162 multiple instances of the extensible classes in the data model, there 5163 is discretion on where to add a new data element. It is RECOMMENDED 5164 that the extension be placed in the most closely related class to the 5165 new information. 5167 Extensions using the atomic data types (i.e., all values of the dtype 5168 attributes other than "xml") MUST: 5170 1. Set the element content to the desired value, and 5172 2. Set the dtype attribute to correspond to the data type of the 5173 element content. 5175 The following guidelines exist for extensions using XML (i.e., 5176 dtype="xml"): 5178 1. The element content of the extensible class MUST be set to the 5179 desired value and the dtype attribute MUST be set to "xml". 5181 2. The extension schema MUST declare a separate namespace. It is 5182 RECOMMENDED that these extensions have the prefix "iodef-". This 5183 recommendation makes readability of the document easier by 5184 allowing the reader to infer which namespaces relate to IODEF by 5185 inspection. 5187 3. It is RECOMMENDED that extension schemas follow the naming 5188 convention of the IODEF data model. This too improves the 5189 readability of extended IODEF documents. The names of all 5190 elements SHOULD be capitalized. For elements with composed 5191 names, a capital letter SHOULD be used for each word. Attribute 5192 names SHOULD be in lower case. Attributes with composed names 5193 SHOULD be separated by a hyphen. 5195 4. Implementations that encounter an unrecognized element in a 5196 supported namespace MUST reject the document as a syntax error. 5198 5. There are security and performance implications in requiring 5199 implementations to dynamically download schemas at run time. 5200 Therefore, implementations SHOULD NOT download schemas at runtime 5201 unless the appropriate precautions are taken. Implementations 5202 also need to contend with the potential of significant network 5203 and processing issues. 5205 6. Some adopters of the IODEF may have private schema definitions 5206 that are not publicly available. Thus implementations may 5207 encounter IODEF documents with references to private schemas that 5208 may not be resolvable. Hence, IODEF document recipients MUST be 5209 prepared for a schema definition in an IODEF document never to 5210 resolve. 5212 The following schema and XML document excerpt provide a template for 5213 an extension schema and its use in the IODEF document. 5215 This example schema defines a namespace of "iodef-extension1" and a 5216 single element named "newdata". 5218 5222 attributeFormDefault="unqualified" 5223 elementFormDefault="qualified"> 5224 5228 5229 5231 The following XML excerpt demonstrates the use of the above schema as 5232 an extension to the IODEF. 5234 5241 5242 ... 5243 5244 5245 Field that could not be represented elsewhere 5246 5247 5248 5249 5276 If an unrecognized private extension is encountered in processing, 5277 the recipient MAY reject the entire document as a syntax error. 5279 6. Internationalization Issues 5281 Internationalization and localization is of specific concern to the 5282 IODEF as it facilitates operational coordination with a diverse set 5283 of partners. The IODEF implements internationalization by relying on 5284 XML constructs and through explicit design choices in the data model. 5286 Since the IODEF is implemented as an XML Schema, it supports 5287 different character encodings, such as UTF-8 and UTF-16, possible 5288 with XML. Additionally, each IODEF document MUST specify the 5289 language in which its content is encoded. The language can be 5290 specified with the attribute "xml:lang" (per Section 2.12 of 5291 [W3C.XML]) in the top-level element (i.e., IODEF-Document) and 5292 letting all other elements inherit that definition. All IODEF 5293 classes with a free-form text definition (i.e., all those defined 5294 with type iodef:MLStringType) can also specify a language different 5295 from the rest of the document. 5297 The data model supports multiple translations of free-form text. All 5298 ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality 5299 to their parent. This allows the identical text translated into 5300 different languages to be encoded in different instances of the same 5301 class with a common parent. This design also enables the creation of 5302 a single document containing all the translations. The IODEF 5303 implementation SHOULD extract the appropriate language relevant to 5304 the recipient. 5306 Related instances of a given iodef:MLStringType class that are 5307 translations of each other are identified by a common identifier set 5308 in the translation-id attribute. The example below shows three 5309 instances of a Description class expressed in three different 5310 languages. The relationship between these three instances of the 5311 Description class is conveyed by the common value of "1" in the 5312 translation-id attribute. 5314 5316 ... 5317 English 5319 Englisch 5321 Anglais 5324 The IODEF balances internationalization support with the need for 5325 interoperability. While the IODEF supports different languages, the 5326 data model also relies heavily on standardized enumerated attributes 5327 that can crudely approximate the contents of the document. With this 5328 approach, a CSIRT should be able to make some sense of an IODEF 5329 document it receives even if the free-form text data elements are 5330 written in a language unfamiliar to the recipient. 5332 7. Examples 5334 This section provides example of IODEF documents. These examples do 5335 not represent the full capabilities of the data model or the the only 5336 way to encode particular information. 5338 7.1. Minimal Example 5340 A document containing only the mandatory elements and attributes. 5342 5343 5344 5350 5351 492382 5352 2015-07-18T09:00:00-05:00 5353 5354 5355 contact@csirt.example.com 5356 5357 5358 5359 5360 5362 7.2. Indicators from a Campaign 5364 An example of C2 domains from a given campaign. 5366 5367 5368 5374 5375 897923 5376 5377 5378 5379 TA-12-AGGRESSIVE-BUTTERFLY 5380 5381 Aggressive Butterfly 5382 5383 5384 C-2015-59405 5385 Orange Giraffe 5386 5387 5388 2015-10-02T11:18:00-05:00 5389 Summarizes the Indicators of Compromise 5390 for the Orange Giraffe campaign of the Aggressive 5391 Butterfly crime gang. 5392 5393 5394 5395 5396 5397 CSIRT for example.com 5398 5399 contact@csirt.example.com 5400 5401 5402 5403 5404 5405 G90823490 5406 5407 C2 domains 5408 2014-12-02T11:18:00-05:00 5409 5410 5411 5412 kj290023j09r34.example.com 5413 09ijk23jfj0k8.example.net 5414 klknjwfjiowjefr923.example.org 5415 oimireik79msd.example.org 5416 5417 5418 5419 5420 5421 5422 5424 8. The IODEF Data Model (XML Schema) 5426 5427 5436 5439 5442 5445 5447 5448 5449 Incident Object Description Exchange Format v2.0, RFC5070bis 5450 5451 5452 5457 5458 5459 5460 5461 5463 5464 5465 5466 5467 5469 5471 5472 5473 5478 5479 5480 5481 5482 5483 5486 5487 5488 5489 5490 5491 5492 5494 5496 5498 5500 5501 5503 5504 5505 5507 5508 5510 5512 5513 5515 5516 5519 5521 5522 5523 5524 5525 5526 5527 5528 5529 5530 5531 5532 5533 5534 5535 5536 5537 5538 5539 5540 5541 5542 5543 5544 5549 5550 5551 5552 5553 5554 5556 5558 5560 5561 5562 5563 5568 5569 5570 5571 5572 5573 5575 5577 5578 5579 5584 5585 5586 5587 5589 5591 5593 5595 5597 5598 5600 5602 5603 5605 5607 5608 5609 5610 5611 5612 5614 5615 5617 5619 5620 5622 5624 5625 5626 5627 5628 5629 5630 5632 5634 5636 5638 5639 5641 5643 5644 5645 5646 5651 5652 5653 5654 5656 5658 5660 5662 5664 5666 5668 5669 5671 5673 5674 5676 5679 5681 5683 5685 5687 5688 5689 5690 5691 5692 5693 5694 5695 5696 5697 5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720 5721 5722 5723 5724 5725 5728 5730 5731 5732 5733 5734 5735 5736 5737 5738 5739 5740 5741 5742 5743 5744 5745 5746 5747 5748 5749 5750 5752 5753 5755 5756 5757 5758 5759 5760 5761 5762 5763 5764 5765 5766 5767 5768 5769 5770 5772 5773 5775 5777 5778 5779 5780 5781 5782 5783 5784 5785 5786 5787 5788 5789 5790 5791 5792 5793 5795 5796 5798 5799 5800 5801 5802 5803 5804 5805 5806 5807 5808 5813 5814 5815 5816 5817 5818 5819 5820 5821 5827 5828 5829 5830 5831 5832 5834 5836 5837 5838 5839 5840 5841 5842 5843 5844 5846 5848 5850 5851 5853 5855 5857 5859 5860 5861 5862 5863 5868 5869 5870 5871 5873 5875 5876 5877 5878 5879 5881 5883 5884 5886 5888 5889 5890 5891 5896 5897 5898 5899 5901 5903 5905 5906 5909 5911 5913 5915 5916 5917 5918 5919 5920 5921 5922 5923 5924 5925 5926 5927 5928 5929 5930 5931 5932 5933 5934 5935 5936 5937 5938 5939 5940 5941 5942 5943 5944 5945 5947 5950 5951 5953 5955 5956 5957 5962 5963 5964 5965 5967 5969 5971 5973 5975 5977 5978 5980 5982 5983 5984 5989 5990 5991 5992 5993 5995 5997 5998 5999 6000 6001 6006 6007 6008 6009 6011 6012 6013 6014 6015 6016 6017 6018 6020 6022 6024 6025 6027 6028 6029 6030 6031 6032 6033 6034 6035 6036 6038 6040 6041 6042 6043 6044 6045 6046 6047 6048 6049 6050 6051 6053 6054 6056 6059 6062 6063 6064 6065 6066 6067 6068 6069 6070 6071 6072 6073 6074 6075 6076 6077 6078 6079 6080 6081 6082 6083 6084 6085 6086 6087 6088 6089 6090 6091 6092 6093 6094 6095 6096 6097 6098 6099 6100 6101 6103 6104 6106 6108 6111 6112 6113 6114 6115 6116 6117 6118 6119 6120 6121 6122 6123 6124 6125 6126 6127 6128 6129 6130 6131 6132 6133 6134 6135 6136 6137 6138 6139 6140 6141 6142 6143 6144 6145 6146 6148 6150 6151 6153 6154 6155 6156 6157 6158 6159 6160 6161 6162 6163 6164 6165 6166 6167 6168 6169 6170 6171 6172 6173 6174 6175 6176 6177 6179 6181 6182 6183 6184 6185 6186 6187 6188 6189 6190 6191 6192 6193 6198 6199 6200 6201 6203 6204 6205 6206 6207 6208 6211 6213 6214 6216 6218 6220 6221 6223 6225 6226 6228 6230 6231 6232 6233 6238 6239 6240 6241 6242 6243 6244 6245 6250 6251 6252 6253 6254 6256 6258 6260 6262 6265 6267 6269 6270 6271 6273 6274 6276 6279 6281 6283 6285 6287 6288 6289 6290 6291 6292 6293 6294 6295 6296 6297 6298 6299 6300 6301 6302 6303 6304 6305 6306 6307 6308 6309 6310 6311 6316 6317 6318 6319 6320 6322 6324 6325 6326 6328 6330 6331 6332 6333 6334 6335 6336 6337 6340 6342 6343 6344 6346 6347 6348 6349 6350 6351 6352 6353 6354 6355 6356 6357 6358 6359 6360 6361 6362 6363 6364 6365 6366 6367 6368 6369 6370 6372 6373 6375 6377 6378 6379 6380 6381 6382 6383 6384 6385 6386 6387 6388 6389 6390 6391 6392 6393 6394 6395 6396 6397 6398 6399 6400 6401 6402 6403 6404 6405 6406 6407 6408 6409 6410 6411 6412 6413 6414 6415 6416 6417 6418 6419 6420 6421 6422 6423 6424 6425 6426 6427 6428 6429 6430 6431 6432 6433 6434 6435 6436 6437 6442 6443 6444 6445 6446 6447 6448 6449 6450 6451 6452 6453 6454 6455 6457 6458 6459 6460 6461 6462 6463 6464 6465 6466 6467 6468 6470 6471 6472 6473 6475 6476 6477 6478 6480 6482 6484 6485 6486 6487 6488 6489 6494 6495 6496 6497 6498 6500 6502 6504 6506 6508 6509 6511 6512 6513 6514 6515 6516 6517 6518 6519 6520 6521 6522 6523 6524 6525 6526 6527 6528 6529 6530 6531 6532 6533 6534 6535 6536 6537 6538 6539 6544 6545 6546 6547 6549 6550 6551 6552 6554 6555 6556 6557 6559 6561 6562 6563 6564 6565 6566 6567 6568 6569 6570 6571 6572 6573 6578 6579 6580 6581 6582 6584 6586 6588 6590 6592 6594 6595 6597 6599 6601 6603 6604 6605 6606 6607 6608 6609 6610 6611 6612 6613 6614 6615 6616 6617 6618 6619 6620 6621 6622 6623 6624 6625 6626 6627 6628 6629 6630 6631 6632 6633 6634 6635 6636 6637 6638 6639 6640 6641 6642 6644 6645 6646 6647 6648 6649 6650 6652 6653 6654 6655 6656 6661 6662 6663 6664 6665 6666 6668 6670 6671 6672 6673 6674 6675 6676 6678 6679 6681 6683 6685 6687 6689 6691 6693 6694 6696 6698 6699 6700 6701 6702 6703 6704 6705 6708 6710 6712 6715 6717 6719 6720 6721 6722 6723 6724 6725 6726 6727 6728 6729 6730 6731 6732 6733 6734 6735 6736 6737 6738 6739 6744 6745 6746 6747 6748 6749 6750 6751 6752 6753 6754 6755 6756 6757 6758 6760 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 6772 6773 6774 6775 6776 6777 6778 6783 6784 6785 6786 6789 6790 6792 6794 6795 6796 6797 6798 6799 6800 6801 6802 6803 6805 6806 6807 6808 6810 6811 6812 6813 6814 6815 6816 6817 6818 6819 6824 6825 6826 6827 6828 6830 6832 6833 6835 6836 6838 6839 6840 6841 6842 6843 6844 6845 6846 6847 6848 6849 6850 6851 6852 6853 6854 6855 6856 6857 6858 6860 6861 6862 6863 6864 6865 6866 6867 6869 6870 6872 6873 6874 6875 6876 6881 6882 6883 6884 6885 6887 6888 6889 6894 6895 6896 6897 6898 6899 6901 6903 6904 6905 6906 6907 6908 6909 6910 6912 6913 6914 6915 6916 6921 6922 6923 6924 6926 6927 6928 6929 6930 6931 6932 6933 6936 6938 6939 6940 6941 6943 6944 6945 6946 6947 6948 6949 6951 6953 6955 6957 6958 6960 6962 6963 6964 6965 6966 6967 6968 6969 6971 6972 6973 6974 6975 6976 6977 6978 6979 6980 6982 6985 6986 6987 6988 6989 6990 6991 6992 6993 6994 6996 6997 6998 6999 7000 7001 7002 7003 7004 7005 7006 7007 7009 7010 7012 7014 7015 7016 7017 7018 7019 7020 7021 7023 7024 7026 7027 7028 7029 7030 7031 7032 7033 7034 7035 7036 7037 7038 7039 7040 7041 7042 7043 7044 7045 7046 7047 7048 7049 7050 7051 7052 7053 7054 7055 7056 7057 7058 7059 7060 7061 7062 7063 7064 7066 7067 7068 7069 7070 7071 7072 7073 7074 7075 7076 7077 7078 7079 7080 7083 7085 7086 7087 7088 7089 7090 7091 7092 7093 7094 7095 7096 7097 7098 7099 7100 7101 7102 7103 7104 7105 7106 7107 7108 7109 7110 7112 7113 7115 7117 7118 7119 7120 7121 7126 7127 7128 7129 7134 7135 7136 7137 7138 7139 7140 7141 7142 7144 7145 7146 7147 7148 7149 7150 7151 7152 7153 7154 7155 7156 7157 7158 7159 7160 7162 7164 7165 7167 7168 7169 7170 7172 7174 7175 7176 7177 7178 7179 7181 7183 7184 7185 7186 7187 7188 7190 7191 7194 7196 7199 7200 7201 7202 7203 7204 7205 7206 7207 7208 7209 7210 7211 7212 7213 7214 7215 7216 7217 7218 7219 7220 7225 7226 7227 7228 7229 7230 7231 7232 7233 7234 7235 7236 7237 7238 7239 7240 7241 7242 7243 7244 7245 7246 7247 7248 7249 7250 7251 7252 7253 7254 7255 7256 7257 7258 7259 7260 7261 7262 7263 7264 7265 7266 7267 7268 7269 7270 7271 7272 7273 7274 7275 7276 7277 7278 7279 7280 7281 7282 7283 7284 7285 7286 7287 7288 7289 7290 7291 7292 7293 7294 7295 7296 7297 7298 7299 7300 7301 7302 7303 7304 7305 7306 7307 7308 7309 7310 7311 7312 7313 7314 7315 7316 7317 7319 9. Security Considerations 7321 The IODEF data model does not directly introduce security or privacy 7322 issues. However, as the data encoded by the IODEF might be 7323 considered sensitive by the parties exchanging it or by those 7324 described by it, care needs to be taken to ensure appropriate 7325 handling during the document construction, exchange, processing, 7326 archiving, subsequent retrieval and analysis. 7328 9.1. Security 7330 The underlying messaging format and protocol used to exchange 7331 instances of the IODEF MUST provide appropriate guarantees of 7332 confidentiality, integrity, and authenticity. The use of a 7333 standardized security protocol is encouraged. The Real-time Inter- 7334 network Defense (RID) protocol [RFC6545] and its associated transport 7335 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 7337 The contents of an IODEF document may include a request for action. 7338 An IODEF implementation may also initiate courses of action based on 7339 the document contents. For these reasons, care must be taken by 7340 IODEF implementations to properly authenticate the sender and 7341 receiver of the document. The recipient must also ascribe 7342 appropriate confidence to the data prior to action. 7344 Executable content could be embedded into the IODEF document directly 7345 or through an extension. The IODEF implementation MUST handle this 7346 content with care to prevent unintentional automated execution. 7348 9.2. Privacy 7350 The IODEF contains numerous fields that are identifiers which could 7351 be linked to an individual or organization. IODEF documents may 7352 contain sensitive information about these identified parties; and 7353 repeated document exchanges about the same and related parties may 7354 enable the correlation of data about them. Likewise, a party may 7355 report on another to a third party without their knowledge. 7357 When creating an IODEF document, careful consideration must be given 7358 to what information is shared. Personal identifiers and attributable 7359 sensitive information should only be shared when necessary. 7361 When exchanging documents, transport security MUST provide document- 7362 level confidentiality. XML element-level confidentiality can also be 7363 provided by using [W3C.XMLENC]. 7365 In order to suggest data processing and handling guidelines of the 7366 encoded information, the IODEF allows a document sender to convey a 7367 privacy policy using the restriction attribute. The various 7368 instances of this attribute allow different data elements of the 7369 document to be covered by dissimilar policies. While flexible, it 7370 must be stressed that this approach only serves as a guideline from 7371 the sender, as the recipient is free to ignore it. 7373 Although outside of the scope of an IODEF implementation, the 7374 contents of IODEF documents and any derived analysis should be 7375 archived with at appropriate confidentiality controls. Likewise, 7376 access to retrieve and analyze this data should be restricted to 7377 authorized users. 7379 10. IANA Considerations 7381 This document registers a namespace, an XML schema, and a number of 7382 registries that map to enumerated values defined in the data model. 7384 10.1. Namespace and Schema 7386 This document uses URNs to describe an XML namespace and schema 7387 conforming to a registry mechanism described in [RFC3688] 7389 Registration for the IODEF namespace: 7391 o URI: urn:ietf:params:xml:ns:iodef-2.0 7393 o Registrant Contact: See the first author of the "Author's Address" 7394 section of this document. 7396 o XML: None. Namespace URIs do not represent an XML specification. 7398 Registration for the IODEF XML schema: 7400 o URI: urn:ietf:params:xml:schema:iodef-2.0 7402 o Registrant Contact: See the first author of the "Author's Address" 7403 section of this document. 7405 o XML: See Section 8 of this document. 7407 10.2. Enumerated Value Registries 7409 This document creates 33 identically structured registries to be 7410 managed by IANA: 7412 o Name of the parent registry: "Incident Object Description Exchange 7413 Format v2 (IODEF)" 7415 o URL of the registry: http://www.iana.org/assignments/iodef2 7417 o Namespace format: A registry entry consists of: 7419 * Value. An enumerated value for a given IODEF attribute. 7421 * Description. A short description of the enumerated value. 7423 * Reference. An optional list of URIs to further describe the 7424 value. 7426 o Allocation policy: Expert Review per [RFC5226] 7428 The registries to be created are named in the "Registry Name" column 7429 of Table 1. The initial values for the Value and Description fields 7430 of a given registry are listed in the "IV (Value)" and "IV 7431 (Description)" columns respectively. The "IV (Value)" points to a 7432 given schema type per Section 8. Each enumerated value in the schema 7433 gets a corresponding entry in a given registry. The "IV 7434 (Description)" points to a section in the text of this document that 7435 describes each enumerated value. The initial value of the Reference 7436 field of every registry entry described below should be this 7437 document. 7439 +-----------------------+---------------------------+---------------+ 7440 | Registry Name | IV (Value) | IV | 7441 | | | (Description) | 7442 +-----------------------+---------------------------+---------------+ 7443 | Restriction | iodef-restriction-type | Section 3.3.1 | 7444 | | | | 7445 | Incident-purpose | incident-purpose-type | Section 3.2 | 7446 | | | | 7447 | Incident-status | incident-status-type | Section 3.2 | 7448 | | | | 7449 | Contact-role | contact-role-type | Section 3.9 | 7450 | | | | 7451 | Contact-type | contact-type-type | Section 3.9 | 7452 | | | | 7453 | RegistryHandle- | registryhandle-registry- | Section 3.9.1 | 7454 | registry | type | | 7455 | | | | 7456 | PostalAddress-type | postaladdress-type-type | Section 3.9.2 | 7457 | | | | 7458 | Telephone-type | telephone-type-type | Section 3.9.4 | 7459 | | | | 7460 | Email-type | email-type-type | Section 3.9.3 | 7461 | | | | 7462 | Expectation-action | action-type | Section 3.15 | 7463 | | | | 7464 | Discovery-source | discovery-source-type | Section 3.10 | 7465 | | | | 7466 | SystemImpact-type | systemimpact-type-type | Section | 7467 | | | 3.12.1 | 7468 | | | | 7469 | BusinessImpact- | businessimpact-severity- | Section | 7470 | severity | type | 3.12.2 | 7471 | | | | 7472 | BusinessImpact-type | businessimpact-type-type | Section | 7473 | | | 3.12.2 | 7474 | | | | 7475 | TimeImpact-metric | timeimpact-metric-type | Section | 7476 | | | 3.12.3 | 7477 | | | | 7478 | TimeImpact-duration | duration-type | Section | 7479 | | | 3.12.3 | 7480 | | | | 7481 | Confidence-rating | confidence-rating-type | Section | 7482 | | | 3.12.5 | 7483 | | | | 7484 | NodeRole-category | noderole-category-type | Section | 7485 | | | 3.18.2 | 7486 | | | | 7487 | System-category | system-category-type | Section 3.17 | 7488 | | | | 7489 | System-ownership | system-ownership-type | Section 3.17 | 7490 | | | | 7491 | Address-category | address-category-type | Section | 7492 | | | 3.18.1 | 7493 | | | | 7494 | Counter-type | counter-type-type | Section | 7495 | | | 3.18.3 | 7496 | | | | 7497 | Counter-unit | counter-unit-type | Section | 7498 | | | 3.18.3 | 7499 | | | | 7500 | DomainData-system- | domaindata-system-status- | Section 3.19 | 7501 | status | type | | 7502 | | | | 7503 | DomainData-domain- | domaindata-domain-status- | Section 3.19 | 7504 | status | type | | 7505 | | | | 7506 | RecordPattern-type | recordpattern-type-type | Section | 7507 | | | 3.22.2 | 7508 | | | | 7509 | RecordPattern- | recordpattern-offsetunit- | Section | 7510 | offsetunit | type | 3.22.2 | 7511 | | | | 7512 | Key-registryaction | key-registryaction-type | Section | 7513 | | | 3.23.1 | 7514 | | | | 7515 | HashData-scope | hashdata-scope-type | Section 3.26 | 7516 | | | | 7517 | BulkObservable-type | bulkobservable-type-type | Section | 7518 | | | 3.29.3.1 | 7519 | | | | 7520 | IndicatorExpression- | indicatorexpression- | Section | 7521 | operator | operator-type | 3.29.4 | 7522 | | | | 7523 | ExtensionType-dtype | dtype-type | Section 2.16 | 7524 | | | | 7525 | SoftwareReference- | softwarereference-spec- | Section | 7526 | spec-id | id-type | 2.15.1 | 7527 | | | | 7528 | SoftwareReference- | softwarereference-dtype- | Section | 7529 | dtype | type | 2.15.1 | 7530 +-----------------------+---------------------------+---------------+ 7532 Table 1: IANA Enumerated Value Registries 7534 11. Acknowledgments 7536 Thanks to Paul Stockler for his editorial leadership in the 7537 transition of RFC5070bis to this document. 7539 Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi 7540 Takahashi, David Waltermire and Sean Turner as the MILE working group 7541 chairs, secretary or area directors for providing feedback and 7542 coordination of this document. 7544 Thanks to the following individuals (listed alphabetically) who 7545 provided feedback during the meetings, on the mailing list or through 7546 implementation experience: Jerome Athias, David Black, Eric Burger, 7547 Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris 7548 Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam 7549 Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio 7550 Suzuki and Nik Teague. 7552 12. References 7554 12.1. Normative References 7556 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 7557 (XML) 1.0 (Second Edition)", W3C Recommendation , October 7558 2000, . 7560 [W3C.SCHEMA] 7561 World Wide Web Consortium, "XML XML Schema Part 1: 7562 Structures Second Edition", W3C Recommendation , October 7563 2004, . 7565 [W3C.SCHEMA.DTYPES] 7566 World Wide Web Consortium, "XML Schema Part 2: Datatypes 7567 Second Edition", W3C Recommendation , October 2004, 7568 . 7570 [W3C.XMLNS] 7571 World Wide Web Consortium, "Namespaces in XML", W3C 7572 Recommendation , January 1999, 7573 . 7575 [W3C.XPATH] 7576 World Wide Web Consortium, "XML Path Language (XPath) 7577 3.1", W3C Candidate Recommendation , December 2015, 7578 . 7580 [W3C.XMLSIG] 7581 World Wide Web Consortium, "XML Signature Syntax and 7582 Processing 2.0", W3C Recommendation , June 2008, 7583 . 7585 [IEEE.POSIX] 7586 Institute of Electrical and Electronics Engineers, 7587 "Information Technology - Portable Operating System 7588 Interface (POSIX) - Part 1: Base Definitions", 7589 IEEE 1003.1, June 2001. 7591 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7592 Requirement Levels", RFC 2119, March 1997. 7594 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of 7595 Languages", RFC 5646, September 2009. 7597 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7598 Resource Identifiers (URI): Generic Syntax", RFC 3986, 7599 January 2005`. 7601 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 7602 Procedures", BCP 2978, October 2000. 7604 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 7605 June 2006. 7607 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 7608 2008. 7610 [RFC-ENUM] 7611 Montville, A. and D. Black, "IODEF Enumeration Reference 7612 Format", RFC 7495, January 2015. 7614 [RFC-SCI] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An 7615 Incident Object Description Exchange Format (IODEF) 7616 Extension for Structured Cybersecurity Information", 7617 RFC 7203, April 2014. 7619 [ISO4217] International Organization for Standardization, 7620 "International Standard: Codes for the representation of 7621 currencies and funds, ISO 4217:2001", ISO 4217:2001, 7622 August 2001. 7624 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 7625 2004. 7627 [IANA.Ports] 7628 Internet Assigned Numbers Authority, "Service Name and 7629 Transport Protocol Port Number Registry", January 2014, 7630 . 7633 [IANA.Protocols] 7634 Internet Assigned Numbers Authority, "Assigned Internet 7635 Protocol Numbers", January 2014, 7636 . 7639 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 7640 10646", RFC 3629, November 2003. 7642 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 7643 10646", RFC 2781, February 2000. 7645 [IANA.Media] 7646 Internet Assigned Numbers Authority, "Media Types", March 7647 2015, . 7650 [NIST.CPE] 7651 The National Institute of Standards and Technology, 7652 "Common Platform Enumeration", 2014, 7653 . 7655 [ISO19770] 7656 International Organization for Standardization, 7657 "Information technology -- Software asset management -- 7658 Part 2: Software identification tag, ISO/IEC 7659 19770-2:2015", ISO 19770-2:2015, October 2015. 7661 12.2. Informative References 7663 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident 7664 Object Description Exchange Format", RFC 5070, December 7665 2007. 7667 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", 7668 RFC 6545, April 2012. 7670 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 7671 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 7672 2012. 7674 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 7675 Class for Reporting Phishing", RFC 5901, July 2010. 7677 [NIST800.61rev2] 7678 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 7679 "NIST Special Publication 800-61 Revision 2: Computer 7680 Security Incident Handling Guide", January 2012, 7681 . 7684 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 7685 Type for the Internet Registry Information Service 7686 (IRIS)", RFC 3982, January 2005. 7688 [KB310516] 7689 Microsoft Corporation, "How to add, modify, or delete 7690 registry subkeys and values by using a registration 7691 entries (.reg) file", December 2007. 7693 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 7694 Separated Values (CSV) File", RFC 4180, October 2005. 7696 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 7697 IANA Considerations Section in RFCs", RFC 5226, May 2008. 7699 [W3C.XMLENC] 7700 World Wide Web Consortium, "XML Encryption Syntax and 7701 Processing Version 1.1", W3C Recommendation , April 2013, 7702 . 7704 Author's Address 7706 Roman Danyliw 7707 CERT - Carnegie Mellon University 7708 4500 Fifth Avenue 7709 Pittsburgh, PA 7710 USA 7712 EMail: rdd@cert.org