idnits 2.17.1 draft-ietf-mile-rfc5070-bis-26.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document obsoletes RFC6685, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Certain characters have special meaning in XML and MUST not appear in literal form. Per Section 2.4 of [W3C.XML], these characters MUST be escaped with a numeric character or entity reference. == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 5, 2016) is 2731 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 7192, but not defined == Missing Reference: '0-4' is mentioned on line 7192, but not defined == Missing Reference: '0-5' is mentioned on line 7192, but not defined == Missing Reference: 'O1' is mentioned on line 4904, but not defined == Missing Reference: 'O2' is mentioned on line 4905, but not defined == Missing Reference: 'O3' is mentioned on line 4894, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' ** Downref: Normative reference to an Informational RFC: RFC 2781 -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO19770' -- Obsolete informational reference (is this intentional?): RFC 5070 (Obsoleted by RFC 7970) -- Obsolete informational reference (is this intentional?): RFC 6685 (Obsoleted by RFC 7970) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070, 6685 (if approved) October 5, 2016 5 Intended status: Standards Track 6 Expires: April 8, 2017 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-26 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation for security incident reports and indicators 15 commonly exchanged by operational security teams for mitigation and 16 watch and warning. This document describes an updated information 17 model for the IODEF and provides an associated data model specified 18 with XML Schema. This new information and data model obsoletes 19 Request for Comment (RFC) 5070 and 6685. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on April 8, 2017. 38 Copyright Notice 40 Copyright (c) 2016 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 This document may contain material from IETF Documents or IETF 54 Contributions published or made publicly available before November 55 10, 2008. The person(s) controlling the copyright in some of this 56 material may not have granted the IETF Trust the right to allow 57 modifications of such material outside the IETF Standards Process. 58 Without obtaining an adequate license from the person(s) controlling 59 the copyright in such materials, this document may not be modified 60 outside the IETF Standards Process, and derivative works of it may 61 not be created outside the IETF Standards Process, except to format 62 it for publication as an RFC or to translate it into languages other 63 than English. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 68 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 69 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 70 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6 71 1.4. Changelog . . . . . . . . . . . . . . . . . . . . . . . . 7 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 77 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10 78 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10 79 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 10 80 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 81 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11 82 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 83 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 84 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 85 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11 86 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12 87 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12 88 2.14. Identifiers and Identifier References . . . . . . . . . . 12 89 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12 90 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13 91 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 14 92 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17 93 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17 94 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 18 95 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22 96 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22 97 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 23 98 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 24 99 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 25 100 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 25 101 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 27 102 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 28 103 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29 104 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 32 105 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33 106 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34 107 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35 108 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36 109 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 38 110 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 39 111 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 40 112 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41 113 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 43 114 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 45 115 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 47 116 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 49 117 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 50 118 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 51 119 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52 120 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54 121 3.14.1. Relating the Incident and EventData Classes . . . . 56 122 3.14.2. Recursive Definition of EventData . . . . . . . . . 56 123 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 57 124 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 60 125 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61 126 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 64 127 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 65 128 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 66 129 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 70 130 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 72 131 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 74 132 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 75 133 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 75 134 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 77 135 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 78 136 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78 137 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 80 138 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 81 139 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 82 140 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84 141 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85 142 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 86 143 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 86 144 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 87 145 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 88 146 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89 147 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91 148 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91 149 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 92 150 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93 151 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93 152 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96 153 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96 154 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97 155 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103 156 3.29.5. Expressions with IndicatorExpression . . . . . . . . 105 157 3.29.6. ObservableReference Class . . . . . . . . . . . . . 106 158 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 107 159 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 108 160 4. Processing Considerations . . . . . . . . . . . . . . . . . . 108 161 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 109 162 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 109 163 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109 164 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 110 165 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 111 166 5.1. Extending the Enumerated Values of Attributes . . . . . . 111 167 5.1.1. Private Extension of Enumerated Values . . . . . . . 111 168 5.1.2. Public Extension of Enumerated Values . . . . . . . . 112 169 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 112 170 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 114 171 6. Internationalization Issues . . . . . . . . . . . . . . . . . 115 172 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 116 173 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 116 174 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116 175 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 118 176 9. Security Considerations . . . . . . . . . . . . . . . . . . . 157 177 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157 178 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 158 179 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 159 180 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 159 181 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 160 182 10.3. Expert Review of IODEF-Related XML Registry Entries . . 163 183 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 163 184 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 163 185 12.1. Normative References . . . . . . . . . . . . . . . . . . 163 186 12.2. Informative References . . . . . . . . . . . . . . . . . 166 187 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 167 189 1. Introduction 191 Organizations require help from other parties to mitigate malicious 192 activity targeting their network and to gain insight into potential 193 threats. This coordination might entail working with an ISP to 194 filter attack traffic, contacting a remote site to take down a 195 botnet, or sharing watch-lists of known malicious indicators in a 196 consortium. 198 The Incident Object Description Exchange Format (IODEF) is a format 199 for representing computer security information commonly exchanged 200 between Computer Security Incident Response Teams (CSIRTs) or other 201 operational security teams. It provides an XML representation for 202 conveying: 204 o indicators to characterize a threat; 206 o security incident reports to document attacks against an 207 organization; 209 o response activity taken or that could be taken in response to an 210 incident; and 212 o meta-data so that these various classes of information can be 213 exchanged among parties. 215 The purpose of the IODEF is to enhance the operational capabilities 216 of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT 217 to resolve security incidents; understand threats; and coordinate 218 response activities and proactive mitigations by simplifying 219 collaboration and data sharing with its partners. This structured 220 format provided by the IODEF allows for: 222 o machine-to-machine exchange of incident and indicator data; 224 o automated processing of this data whereby allowing more rapid 225 execution of appropriate courses of action; and 227 o the development of an ecosystem of interoperable tools enabling 228 security operations. 230 Sharing and coordinating with other organizations is not strictly a 231 technical problem. There are numerous procedural, cultural, legal 232 and trust-related barriers to overcome. The IODEF does not attempt 233 to address them directly. However, operational implementations of 234 the IODEF will need to consider these challenges. 236 Section 1 provides the background for the IODEF. Sections 3 and 8 237 specify the IODEF information and data model respectively. The data 238 types used in this document are described in Section 2. Processing 239 considerations, extending the specification, internationalization and 240 security issues are covered in Sections 4, 5, 6 and 9 respectively. 241 Examples are listed in Section 7. 243 1.1. Terminology 245 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 246 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 247 document are to be interpreted as described in [RFC2119]. 249 1.2. Notations 251 The IODEF is specified as an Extensible Markup Language (XML) 252 [W3C.XML] Schema [W3C.SCHEMA]. The normative IODEF data model is 253 found in the XML schema in Section 8. To aid in the understanding of 254 the data elements, Section 3 also depicts the underlying information 255 model using Unified Modeling Language (UML). This abstract 256 presentation of the IODEF is not normative. 258 For clarity in this document, the term "XML document" will be used 259 when referring generically to any instance of an XML document. The 260 term "IODEF document" will be used to refer to an XML document 261 conforming to the IODEF specification. The terms "schema" will be 262 used to refer to Section 8 of this document. The terms "data model" 263 and "schema" will be used interchangeably. The terms "class" and 264 "element" will be used to reference either the corresponding data 265 element in the UML-based information or XML Schema-based data models, 266 respectively. 268 1.3. About the IODEF Data Model 270 A number of considerations were made in the design of the IODEF data 271 model. 273 o The data model found in this document is an evolution of the one 274 previously specified in [RFC5070]. New fields were added to 275 represent additional information. [RFC5070] was developed 276 primarily to represent incident reports. This document builds 277 upon it by adding support for indicators and revising it to 278 reflect the current challenges faced by CSIRTs. An attempt was 279 made to preserve backward compatibility but this was not possible 280 in all cases. See Section 4.4. This document obsoletes 281 [RFC5070]. 283 o The IODEF is a transport format. Therefore, the data model may 284 not be the optimal archival or in-memory processing format. 286 o The IODEF is intended to be a framework to convey only commonly 287 exchanged information. It ensures that there are mechanisms for 288 extensibility to support organization-specific information and 289 techniques to reference information kept outside of the data 290 model. 292 o Not all commonly exchanged information has a well-defined format 293 or taxonomy. The IODEF attempts to strike a balance between 294 enforcing sufficient structure to allow automated processing and 295 supporting free-form content that enables maximum flexibility. 297 o The IODEF fits into a broader ecosystem of standards and 298 conventions. An attempt was made to harmonize the data model with 299 this context. 301 1.4. Changelog 303 A detailed list of additions made to the [RFC5070] data model are 304 enumerated in this section. See Section 4.4 for a list of 305 incompatible changes. 307 o Updated the data types (Section 2) to improve 308 internationalization, clarify ambiguity, and ensure consistency in 309 extensions. 311 o Added the observable-id attribute (Section 3.3.2) and 312 IndicatorData (Section 3.28) class (Section 3.28) to represent 313 indicators. 315 o Added the private-enum-name and -id attributes to the IODEF- 316 Document class (Section 3.1) to disambiguate private extensions. 318 o Updated the Incident class (Section 3.2) to represent additional 319 timing and workflow information. 321 o Added the ThreatActor (Section 3.7) and Campaign (Section 3.8) 322 classes to represent attack attribution information. 324 o Updated the Contact class (Section 3.9) and its children to 325 improve internationalization and represent additional information 326 about an entity. 328 o Updated the Method class (Section 3.11) to improve extensibility 329 through externally referenced resources. 331 o Added the Discovery class (Section 3.10) to describe how an 332 incident was discovered. 334 o Updated the Assessment class (Section 3.12) to enable more 335 descriptive characterizations of the impact of an incident. 337 o Updated the HistoryItem (Section 3.13.1) and Expectation 338 (Section 3.15) classes to support a reference to a course of 339 action. 341 o Updated the EventData class (Section 3.14) with additional meta- 342 data added to the Incident class. 344 o Updated the System (Section 3.17) class with additional meta-data. 346 o Updated the Counter class (Section 3.18.3) to support additional 347 rate metrics. 349 o Added the DomainData (Section 3.19), EmailData (Section 3.21), 350 WindowsRegistryKeysModified (Section 3.23), CertificateData 351 (Section 3.24) and FileData (Section 3.25) to improve the 352 description of an incident and support this data as indicators. 354 o Added the SignatureData (Section 3.27) and HashData classes 355 (Section 3.26) to represent digital signatures and hashes. 357 o Added support for public enumerated attribute extensions using 358 IANA registries (Section 5.1.2). 360 o Updated numerous enumerated attributes for completeness. 362 2. IODEF Data Types 364 The IODEF uses a number of simple and complex types. This section 365 describes these data types. 367 2.1. Integers 369 An integer is represented in the information model by the INTEGER 370 data type. Integer data MUST be encoded in Base 10. 372 The INTEGER data type is implemented in the data model as a 373 "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES]. 375 2.2. Real Numbers 377 A real (floating-point) number is represented in the information 378 model by the REAL data type. Real data MUST be encoded in Base 10. 380 The REAL data type is implemented in the data model as a "xs:float" 381 type per Section 3.2.4 of [W3C.SCHEMA.DTYPES]. 383 2.3. Characters and Strings 385 A single character is represented in the information model by the 386 CHARACTER data type. A string is represented by the STRING data 387 type. Special characters MUST be encoded using entity references. 388 See Section 4.1. 390 The CHARACTER and STRING data types are implemented in the data model 391 as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. 393 2.4. Multilingual Strings 395 A string that needs to be represented in a human-readable language 396 different than the default encoding of the document is represented in 397 the information model by the ML_STRING data type. 399 The ML_STRING data type is implemented in the data model as the 400 "iodef:MLStringType" type. This type extends the "xs:string" to 401 include two attributes. 403 +------------------------+ 404 | iodef:MLStringType | 405 +------------------------+ 406 | xs:string | 407 | | 408 | ENUM xml:lang | 409 | STRING translation-id | 410 +------------------------+ 412 Figure 1: The iodef:MLStringType Type 414 The content of the class is a character string of type "xs:string" 415 whose language MAY be specified by the xml:lang attribute. 417 The attributes of the iodef:MLStringType type are: 419 xml:lang 420 Optional. ENUM. A language identifier per Section 2.12 of 421 [W3C.XML] whose values and format are described in [RFC5646]. The 422 interpretation of this code is described in Section 6. 424 translation-id 425 Optional. STRING. An identifier to relate other instances of 426 this class with the same parent as translations of this text. The 427 scope of this identifier is limited to all of the direct, peer 428 child classes of a given parent class. 430 Using this class enables representing translations of the same text 431 in multiple languages. Each translation is a distinct instance of 432 this class with a common parent. A group of classes each with a 433 translated instance of text is related by setting a common identifier 434 in the translation-id attribute. The language of a given class is 435 set by the xml:lang attribute. See Section 6 for more details on 436 representing translations of free-form text. 438 2.5. Binary Strings 440 Binary octets can be represented with two encodings. 442 2.5.1. Base64 Bytes 444 A binary octet encoded with Base64 is represented in the information 445 model by the BYTE data type. A sequence of these octets is of the 446 BYTE[] data type. 448 The BYTE and BYTE[] data types are implemented in the data model as a 449 "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES]. 451 2.5.2. Hexadecimal Bytes 453 A binary octet encoded as a character tuple consistent of two 454 hexadecimal digits is represented in the information model by the 455 HEXBIN data type. A sequence of these octets is of the HEXBIN[] data 456 type. 458 The HEXBIN and HEXBIN[] data types are implemented in the data model 459 as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES]. 461 2.6. Enumerated Types 463 An enumerated type is represented in the information model by the 464 ENUM data type. It is an ordered list of acceptable string values. 465 Each value has a representative keyword. Within the data model, the 466 enumerated type keywords are used as attribute values. 468 The ENUM data type is implemented in the data model as values of a 469 "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES]. 471 2.7. Date-Time String 473 A date-time strings that describes a particular instant in time is 474 represented in the information model by the DATETIME data type. 475 Ranges are not supported. 477 The DATETIME data type is implemented in the data model as a 478 "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES]. 480 2.8. Timezone String 482 A timezone offset from UTC is represented in the information model by 483 the TIMEZONE data type. It is formatted according to the following 484 regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 486 The TIMEZONE data type is implemented in the data model as an 487 "iodef:TimezoneType" type. 489 2.9. Port Lists 491 A list of network ports is represented in the information model by 492 the PORTLIST data type. A PORTLIST consists of a comma-separated 493 list of numbers and ranges (N-M means ports N through M, inclusive). 494 It is formatted according to the following regular expression: 495 "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, 496 "2,5-15,30,32,40-50,55-60". 498 The PORTLIST data type is implemented in the data model as an 499 "iodef:PortlistType" type. 501 2.10. Postal Address 503 A postal address is represented in the information model by the 504 POSTAL data type. The format of the POSTAL data type is documented 505 in Section 2.23 of [RFC4519] as a free-form multi-line string 506 separated by the "$" character. 508 The POSTAL data type is implemented in the data model as an 509 "iodef:MLStringType" type. 511 2.11. Telephone Number 513 A telephone number is represented in the information model by the 514 PHONE data type. The format of the PHONE data type is documented in 515 [E.164]. 517 The PHONE data type is implemented in the data model as a "xs:string" 518 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. 520 2.12. Email String 522 An email address is represented in the information model by the EMAIL 523 data type. The format of the EMAIL data type is documented in 524 Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531]. 526 The EMAIL data type is implemented in the data model as a "xs:string" 527 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. 529 2.13. Uniform Resource Locator strings 531 A uniform resource locator (URL) is represented in the information 532 model by the URL data type. The format of the URL data type is 533 documented in [RFC3986]. 535 The URL data type is implemented as a "xs:anyURI" type per 536 Section 3.2.17 of [W3C.SCHEMA.DTYPES]. 538 2.14. Identifiers and Identifier References 540 An identifier unique to the IODEF document is represented in the 541 information model by the ID data type. A reference to this 542 identifier is represented by the IDREF data type. 544 The ID and IDREF data types are implemented in the model as "xs:ID" 545 and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of 546 [W3C.SCHEMA.DTYPES]. 548 2.15. Software 550 A particular version of software is represented in the information 551 model by the SOFTWARE data type. This software can be described by 552 using a reference, a URL or with free-form text. 554 The SOFTWARE data type is implemented in the data model as the 555 "iodef:SoftwareType" type. 557 +--------------------+ 558 | iodef:SoftwareType | 559 +--------------------+ 560 | |<>--{0..1}--[ SoftwareReference ] 561 | |<>--{0..*}--[ URL ] 562 | |<>--{0..*}--[ Description ] 563 +--------------------+ 565 Figure 2: The SoftwareType Type 567 The aggregate classes of the SoftwareType type are: 569 SoftwareReference 570 Zero or one. Reference to a software application. See 571 Section 2.15.1. 573 URL 574 Zero or more. URL. A URL to a resource describing the software. 576 Description 577 Zero or more. ML_STRING. A free-form text description of the 578 software. 580 At least one of these classes MUST be present. 582 The iodef:SoftwareType type has no attributes. 584 2.15.1. SoftwareReference Class 586 The SoftwareReference class is a reference to a particular version of 587 software. 589 +----------------------+ 590 | SoftwareReference | 591 +----------------------+ 592 | xs:any | 593 | | 594 | ENUM spec-name | 595 | STRING ext-spec-name | 596 | ENUM dtype | 597 | STRING ext-dtype | 598 +----------------------+ 600 Figure 3: The SoftwareReference Class 602 The element content varies according to the value of the spec-name 603 attribute. It is defined in the data model as "xs:any" per 604 [W3C.SCHEMA]. 606 The attributes of the SoftwareReference class are: 608 spec-name 609 Required. ENUM. Identifies the format and semantics of the 610 element body of this class. Formal standards and specifications 611 can be referenced as well as a free-form text description with a 612 user-provided data type. These values are maintained in the 613 "SoftwareReference-spec-id" IANA registry per Section 10.2 614 1. custom. The element content is free-form and of the data type 615 specified by the dtype attribute. If this value is selected, 616 then the dtype attribute MUST be set. 618 2. cpe. The element content describes a Common Platform 619 Enumeration (CPE) entry per [NIST.CPE]. 621 3. swid. The element content describes a software identification 622 (SWID) tag per [ISO19770]. 624 4. ext-value. A value used to indicate that this attribute is 625 extended and the actual value is provided using the 626 corresponding ext-* attribute. See Section 5.1.1. 628 ext-spec-name 629 Optional. STRING. A means by which to extend the spec-name 630 attribute. See Section 5.1.1. 632 dtype 633 Optional. ENUM. The data type of the element content. The 634 permitted values for this attribute are shown below. The default 635 value is "string". These values are maintained in the 636 "SoftwareReference-dtype" IANA registry per Section 10.2. 638 1. bytes. The element content is of type HEXBIN. 640 2. integer. The element content is of type INTEGER. 642 3. real. The element content is of type REAL. 644 4. string. The element content is of type STRING. 646 5. xml. The element content is XML. See Section 5.2. 648 6. ext-value. A value used to indicate that this attribute is 649 extended and the actual value is provided using the 650 corresponding ext-* attribute. See Section 5.1.1. 652 ext-dtype 653 Optional. STRING. A means by which to extend the dtype 654 attribute. See Section 5.1.1. 656 2.16. Extension 658 Information not otherwise represented in the IODEF can be added using 659 the EXTENSION data type. This data type is a generic extension 660 mechanism. 662 The EXTENSION data type is implemented in the data model as the 663 "iodef:ExtensionType" type. 665 The data type of an EXTENSION is described by the dtype attribute. 666 For simple information, atomic data types (e.g., integers, strings) 667 are supported. Their semantics are further described by the meaning 668 and formatid attributes. Encapsulating XML documents conforming to 669 another schema is also supported. A detailed discussion of extending 670 the schema can be found in Section 5. Additional coordination may be 671 required to ensure that a recipient of a document using this type can 672 parse and process it. 674 +------------------------+ 675 | iodef:ExtensionType | 676 +------------------------+ 677 | xs:any | 678 | | 679 | STRING name | 680 | ENUM dtype | 681 | STRING ext-dtype | 682 | STRING meaning | 683 | STRING formatid | 684 | ENUM restriction | 685 | STRING ext-restriction | 686 | ID observable-id | 687 +------------------------+ 689 Figure 4: The iodef:ExtensionType Type 691 The element content of this type is the extension being added to the 692 data model. This content is defined in the data model as "xs:any" 693 per [W3C.SCHEMA]. 695 The attributes of the iodef:ExtensionType type are: 697 name 698 Optional. STRING. A free-form name of the field or data element. 700 dtype 701 Required. ENUM. The data type of the element content. The 702 default value is "string". These values are maintained in the 703 "ExtensionType-dtype" IANA registry per Section 10.2. 705 1. boolean. The element content is of type BOOLEAN. 707 2. byte. The element content is of type BYTE. 709 3. bytes. The element content is of type HEXBIN. 711 4. character. The element content is of type CHARACTER. 713 5. date-time. The element content is of type DATETIME. 715 6. ntpstamp. Same as date-time. 717 7. integer. The element content is of type INTEGER. 719 8. portlist. The element content is of type PORTLIST. 721 9. real. The element content is of type REAL. 723 10. string. The element content is of type STRING. 725 11. file. The element content is a base64 encoded binary file 726 encoded as a BYTE[] type. 728 12. path. The element content is a file-system path encoded as a 729 STRING type. 731 13. frame. The element content is a layer-2 frame encoded as a 732 HEXBIN type. 734 14. packet. The element content is a layer-3 packet encoded as a 735 HEXBIN type. 737 15. ipv4-packet. The element content is an IPv4 packet encoded 738 as a HEXBIN type. 740 16. ipv6-packet. The element content is an IPv6 packet encoded 741 as a HEXBIN type. 743 17. url. The element content is of type URL. 745 18. csv. The element content is a common separated value (CSV) 746 list per Section 2 of [RFC4180] encoded as a STRING type. 748 19. winreg. The element content is a Windows registry key 749 encoded as a STRING type. 751 20. xml. The element content is XML. See Section 5. 753 21. ext-value. A value used to indicate that this attribute is 754 extended and the actual value is provided using the 755 corresponding ext-* attribute. See Section 5.1.1. 757 ext-dtype 758 Optional. STRING. A means by which to extend the dtype 759 attribute. See Section 5.1.1. 761 meaning 762 Optional. STRING. A free-form text description of the element 763 content. 765 formatid 766 Optional. STRING. An identifier referencing the format or 767 semantics of the element content. 769 restriction 770 Optional. ENUM. See Section 3.3.1. 772 ext-restriction 773 Optional. STRING. A means by which to extend the restriction 774 attribute. See Section 5.1.1. 776 observable-id 777 Optional. ID. See Section 3.3.2. 779 3. The IODEF Information Model 781 The specifics of the IODEF information model are discussed in this 782 section. Each class and its relationships with the other classes is 783 described. When necessary, clarifications are made about translating 784 this information model to the schema in Section 8. 786 3.1. IODEF-Document Class 788 The IODEF-Document class is the top level class in the IODEF data 789 model. All IODEF documents are an instance of this class. 791 +--------------------------+ 792 | IODEF-Document | 793 +--------------------------+ 794 | STRING version |<>--{1..*}--[ Incident ] 795 | ENUM xml:lang |<>--{0..*}--[ AdditionalData ] 796 | STRING format-id | 797 | STRING private-enum-name | 798 | STRING private-enum-id | 799 +--------------------------+ 801 Figure 5: IODEF-Document Class 803 The aggregate classes of the IODEF-Document class are: 805 Incident 806 One or more. The information related to a single incident. See 807 Section 3.2. 809 AdditionalData 810 Zero or more. EXTENSION. Mechanism by which to extend the data 811 model. 813 The attributes of the IODEF-Document class are: 815 version 816 Required. STRING. The IODEF specification version number to 817 which this IODEF document conforms. The value of this attribute 818 MUST be "2.00" 820 xml:lang 821 Optional. ENUM. A language identifier per Section 2.12 of 822 [W3C.XML] whose values and form are described in [RFC5646]. The 823 interpretation of this code is described in Section 6. 825 format-id 826 Optional. STRING. A free-form string to convey processing 827 instructions to the recipient of the document. Its semantics must 828 be negotiated out-of-band. 830 private-enum-name 831 Optional. STRING. A globally unique identifier for the CSIRT 832 generating the document to deconflict private extensions used in 833 the document. The fully qualified domain name associated with the 834 CSIRT MUST be used as the identifier. See Section 5.3. 836 private-enum-id 837 Optional. STRING. An organizationally unique identifier for an 838 extension used in the document. If this attribute is set, the 839 private-enum-name MUST also be set. See Section 5.3. 841 3.2. Incident Class 843 The Incident class describes commonly exchanged information when 844 reporting or sharing derived analysis from security incidents. 846 +-------------------------+ 847 | Incident | 848 +-------------------------+ 849 | ENUM purpose |<>----------[ IncidentID ] 850 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 851 | ENUM status |<>--{0..*}--[ RelatedActivity ] 852 | STRING ext-status |<>--{0..1}--[ DetectTime ] 853 | ENUM xml:lang |<>--{0..1}--[ StartTime ] 854 | ENUM restriction |<>--{0..1}--[ EndTime ] 855 | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ] 856 | ID observable-id |<>--{0..1}--[ ReportTime ] 857 | |<>----------[ GenerationTime ] 858 | |<>--{0..*}--[ Description ] 859 | |<>--{0..*} [ Discovery ] 860 | |<>--{0..*}--[ Assessment ] 861 | |<>--{0..*}--[ Method ] 862 | |<>--{1..*}--[ Contact ] 863 | |<>--{0..*}--[ EventData ] 864 | |<>--{0..1}--[ IndicatorData ] 865 | |<>--{0..1}--[ History ] 866 | |<>--{0..*}--[ AdditionalData ] 867 +-------------------------+ 869 Figure 6: The Incident Class 871 The aggregate classes of the Incident class are: 873 IncidentID 874 One. An incident tracking number assigned to this incident by the 875 CSIRT that generated the IODEF document. See Section 3.4. 877 AlternativeID 878 Zero or one. The incident tracking numbers used by other CSIRTs 879 to refer to the incident described in the document. See 880 Section 3.5. 882 RelatedActivity 883 Zero or more. Related activity and attribution of this activity. 884 See Section 3.6. 886 DetectTime 887 Zero or one. DATETIME. The time the incident was first detected. 889 StartTime 890 Zero or one. DATETIME. The time the incident started. 892 EndTime 893 Zero or one. DATETIME. The time the incident ended. 895 RecoveryTime 896 Zero or one. DATETIME. The time the site recovered from the 897 incident. 899 ReportTime 900 Zero or one. DATETIME. The time the incident was reported. 902 GenerationTime 903 One. DATETIME. The time the content in this Incident class was 904 generated. 906 Description 907 Zero or more. ML_STRING. A free-form text description of the 908 incident. 910 Discovery 911 Zero or more. The means by which this incident was detected. See 912 Section 3.10. 914 Assessment 915 Zero or more. A characterization of the impact of the incident. 916 See Section 3.12. 918 Method 919 Zero or more. The techniques used by the threat actor in the 920 incident. See Section 3.11. 922 Contact 923 One or more. Contact information for the parties involved in the 924 incident. See Section 3.9. 926 EventData 927 Zero or more. Description of the events comprising the incident. 928 See Section 3.14. 930 IndicatorData 931 Zero or one. Indicators from the analysis of an incident. See 932 Section 3.28. 934 History 935 Zero or one. A log of significant events or actions that occurred 936 during the course of handling the incident. See Section 3.13. 938 AdditionalData 939 Zero or more. EXTENSION. Mechanism by which to extend the data 940 model. 942 The attributes of the Incident class are: 944 purpose 945 Required. ENUM. The purpose attribute represents describes the 946 rational for document the information in this class. It is 947 closely related to the Expectation class (Section 3.15). These 948 values are maintained in the "Incident-purpose" IANA registry per 949 Section 10.2. This attribute is defined as an enumerated list: 951 1. traceback. The Incident was sent for trace-back purposes. 953 2. mitigation. The Incident was sent to request aid in 954 mitigating the described activity. 956 3. reporting. The Incident was sent to comply with reporting 957 requirements. 959 4. watch. The Incident was sent to convey indicators that should 960 be monitored. 962 5. other. The Incident was sent for purposes specified in the 963 Expectation class. 965 6. ext-value. A value used to indicate that this attribute is 966 extended and the actual value is provided using the 967 corresponding ext-* attribute. See Section 5.1.1. 969 ext-purpose 970 Optional. STRING. A means by which to extend the purpose 971 attribute. See Section 5.1.1. 973 status 974 Optional. ENUM. The status attribute conveys the state in a 975 workflow where the incident is currently found. These values are 976 maintained in the "Incident-status" IANA registry per 977 Section 10.2. This attribute is defined as an enumerated list: 979 1. new. The Incident is newly reported and has not been 980 actioned. 982 2. in-progress. The contents of this Incident are under 983 investigation. 985 3. forwarded. The Incident has been forwarded to another party 986 for handling. 988 4. resolved. The investigation into the activity in this 989 Incident has concluded. 991 5. future. The described activity has not yet been detected. 993 6. ext-value. A value used to indicate that this attribute is 994 extended and the actual value is provided using the 995 corresponding ext-* attribute. See Section 5.1.1. 997 ext-status 998 Optional. STRING. A means by which to extend the status 999 attribute. See Section 5.1.1. 1001 xml:lang 1002 Optional. ENUM. A language identifier per Section 2.12 of 1003 [W3C.XML] whose values and form are described in [RFC5646]. The 1004 interpretation of this code is described in Section 6. 1006 restriction 1007 Optional. ENUM. See Section 3.3.1. The default value is 1008 "private". 1010 ext-restriction 1011 Optional. STRING. A means by which to extend the restriction 1012 attribute. See Section 5.1.1. 1014 observable-id 1015 Optional. ID. See Section 3.3.2. 1017 3.3. Common Attributes 1019 There are a number of recurring attributes used in the information 1020 model. They are documented in this section. 1022 3.3.1. restriction Attribute 1024 The restriction attribute indicates the disclosure guidelines to 1025 which the sender expects the recipient to adhere for the information 1026 represented in this class and its children. This guideline provides 1027 no security since there are no technical means to ensure that the 1028 recipient of the document handles the information as the sender 1029 requested. 1031 The value of this attribute is logically inherited by the children of 1032 this class. That is to say, the disclosure rules applied to this 1033 class, also apply to its children. 1035 It is possible to set a granular disclosure policy, since all of the 1036 high-level classes (i.e., children of the Incident class) have a 1037 restriction attribute. Therefore, a child can override the 1038 guidelines of a parent class, be it to restrict or relax the 1039 disclosure rules (e.g., a child has a weaker policy than an ancestor; 1040 or an ancestor has a weak policy, and the children selectively apply 1041 more rigid controls). The implicit value of the restriction 1042 attribute for a class that did not specify one can be found in the 1043 closest ancestor that did specify a value. 1045 This attribute is defined as an enumerated value with a default value 1046 of "private". Note that the default value of the restriction 1047 attribute is only defined in the context of the Incident class. In 1048 other classes where this attribute is used, no default is specified. 1050 These values are maintained in the "Restriction" IANA registry per 1051 Section 10.2. 1053 1. public. The information can be freely distributed without 1054 restriction. 1056 2. partner. The information may be shared within a closed 1057 community of peers, partners, or affected parties, but cannot be 1058 openly published. 1060 3. need-to-know. The information may be shared only within the 1061 organization with individuals that have a need to know. 1063 4. private. The information may not be shared. 1065 5. default. The information can be shared according to an 1066 information disclosure policy pre-arranged by the communicating 1067 parties. 1069 6. white. Same as 'public'. 1071 7. green. Same as 'partner'. 1073 8. amber. Same as 'need-to-know'. 1075 9. red. Same as 'private'. 1077 10. ext-value. A value used to indicate that this attribute is 1078 extended and the actual value is provided using the 1079 corresponding ext-* attribute. See Section 5.1.1. 1081 3.3.2. observable-id Attribute 1083 The observable-id attribute tags information in the document as an 1084 observable so that it can be referenced later in the description of 1085 an indicator. The value of this attribute is a unique identifier in 1086 the scope of the document. It is used by the ObservableReference 1087 class to enumerate observables when defining an indicator with the 1088 IndicatorData class. 1090 3.4. IncidentID Class 1092 The IncidentID class represents a tracking number that is unique in 1093 the context of the CSIRT. It serves as an identifier for an incident 1094 or a document identifier when sharing indicators. This identifier 1095 would serve as an index into a CSIRT's incident handling or knowledge 1096 management system. 1098 The combination of the name attribute and the string in the element 1099 content MUST be a globally unique identifier describing the activity. 1100 Documents generated by a given CSIRT MUST NOT reuse the same value 1101 unless they are referencing the same incident. 1103 +------------------------+ 1104 | IncidentID | 1105 +------------------------+ 1106 | STRING | 1107 | | 1108 | STRING name | 1109 | STRING instance | 1110 | ENUM restriction | 1111 | STRING ext-restriction | 1112 +------------------------+ 1114 Figure 7: The IncidentID Class 1116 The content of the class is an incident identifier of type STRING. 1118 The attributes of the IncidentID class are: 1120 name 1121 Required. STRING. An identifier describing the CSIRT that 1122 created the document. In order to have a globally unique CSIRT 1123 name, the fully qualified domain name associated with the CSIRT 1124 MUST be used. 1126 instance 1127 Optional. STRING. An identifier referencing a subset of the 1128 named incident. 1130 restriction 1131 Optional. ENUM. See Section 3.3.1. 1133 ext-restriction 1134 Optional. STRING. A means by which to extend the restriction 1135 attribute. See Section 5.1.1. 1137 3.5. AlternativeID Class 1139 The AlternativeID class lists the tracking numbers used by CSIRTs, 1140 other than the one generating the document, to refer to the identical 1141 activity described in the IODEF document. A tracking number listed 1142 as an AlternativeID references the same incident detected by another 1143 CSIRT. The tracking numbers of the CSIRT that generated the IODEF 1144 document must never be considered an AlternativeID. 1146 +------------------------+ 1147 | AlternativeID | 1148 +------------------------+ 1149 | ENUM restriction |<>--{1..*}--[ IncidentID ] 1150 | STRING ext-restriction | 1151 +------------------------+ 1153 Figure 8: The AlternativeID Class 1155 The aggregate class of the AlternativeID class is: 1157 IncidentID 1158 One or more. The tracking number of another CSIRT. See 1159 Section 3.4. 1161 The attributes of the AlternativeID class are: 1163 restriction 1164 Optional. ENUM. See Section 3.3.1. 1166 ext-restriction 1167 Optional. STRING. A means by which to extend the restriction 1168 attribute. See Section 5.1.1. 1170 3.6. RelatedActivity Class 1172 The RelatedActivity class relates the information described in the 1173 rest of the document to previously observed incidents or activity; 1174 and allows attribution to a specific actor or campaign. 1176 +------------------------+ 1177 | RelatedActivity | 1178 +------------------------+ 1179 | ENUM restriction |<>--{0..*}--[ IncidentID ] 1180 | STRING ext-restriction |<>--{0..*}--[ URL ] 1181 | |<>--{0..*}--[ ThreatActor ] 1182 | |<>--{0..*}--[ Campaign ] 1183 | |<>--{0..*}--[ IndicatorID ] 1184 | |<>--{0..1}--[ Confidence ] 1185 | |<>--{0..*}--[ Description ] 1186 | |<>--{0..*}--[ AdditionalData ] 1187 +------------------------+ 1189 Figure 9: RelatedActivity Class 1191 The aggregate classes of the RelatedActivity class are: 1193 IncidentID 1194 Zero or more. The tracking number of a related incident. See 1195 Section 3.4. 1197 URL 1198 Zero or more. URL. A URL to activity related to this incident. 1200 ThreatActor 1201 Zero or more. The threat actor to whom the incident activity is 1202 attributed. See Section 3.7. 1204 Campaign 1205 Zero or more. The campaign of a given threat actor to whom the 1206 described activity is attributed. See Section 3.8. 1208 IndicatorID 1209 Zero or more. A reference to a related indicator. See 1210 Section 3.4. 1212 Confidence 1213 Zero or one. An estimate of the confidence in attributing this 1214 RelatedActivity to the events described in the document. See 1215 Section 3.12.5. 1217 Description 1218 Zero or more. ML_STRING. A description of how these 1219 relationships were derived. 1221 AdditionalData 1222 Zero or more. EXTENSION. A mechanism by which to extend the data 1223 model. 1225 The RelatedActivity class MUST have at least one instance of any of 1226 the following child classes: IncidentID, URL, ThreatActor, Campaign, 1227 Description or AdditionalData. 1229 The attributes of the RelatedActivity class are: 1231 restriction 1232 Optional. ENUM. See Section 3.3.1. 1234 ext-restriction 1235 Optional. STRING. A means by which to extend the restriction 1236 attribute. See Section 5.1.1. 1238 3.7. ThreatActor Class 1240 The ThreatActor class describes a threat actor. 1242 +------------------------+ 1243 | ThreatActor | 1244 +------------------------+ 1245 | ENUM restriction |<>--{0..*}--[ ThreatActorID ] 1246 | STRING ext-restriction |<>--{0..*}--[ URL ] 1247 | |<>--{0..*}--[ Description ] 1248 | |<>--{0..*}--[ AdditionalData ] 1249 +------------------------+ 1251 Figure 10: ThreatActor Class 1253 The aggregate classes of the ThreatActor class are: 1255 ThreatActorID 1256 Zero or more. STRING. An identifier for the threat actor. 1258 URL 1259 Zero or more. URL. A URL to a reference describing the threat 1260 actor. 1262 Description 1263 Zero or more. ML_STRING. A description of the threat actor. 1265 AdditionalData 1266 Zero or more. EXTENSION. A mechanism by which to extend the data 1267 model. 1269 The ThreatActor class MUST have at least one instance of a child 1270 class. 1272 The attributes of the ThreatActor class are: 1274 restriction 1275 Optional. ENUM. See Section 3.3.1. 1277 ext-restriction 1278 Optional. STRING. A means by which to extend the restriction 1279 attribute. See Section 5.1.1. 1281 3.8. Campaign Class 1283 The Campaign class describes a campaign of attacks by a threat actor. 1285 +------------------------+ 1286 | Campaign | 1287 +------------------------+ 1288 | ENUM restriction |<>--{0..*}--[ CampaignID ] 1289 | STRING ext-restriction |<>--{0..*}--[ URL ] 1290 | |<>--{0..*}--[ Description ] 1291 | |<>--{0..*}--[ AdditionalData ] 1292 +------------------------+ 1294 Figure 11: Campaign Class 1296 The aggregate classes of the Campaign class are: 1298 CampaignID 1299 Zero or more. STRING. An identifier for the campaign. 1301 URL 1302 Zero or more. URL. A URL to a reference describing the campaign. 1304 Description 1305 Zero or more. ML_STRING. A description of the campaign. 1307 AdditionalData 1308 Zero or more. EXTENSION. A mechanism by which to extend the data 1309 model. 1311 The Campaign class MUST have at least one instance of a child class. 1313 The attributes of the Campaign class are: 1315 restriction 1316 Optional. ENUM. See Section 3.3.1. 1318 ext-restriction 1319 Optional. STRING. A means by which to extend the restriction 1320 attribute. See Section 5.1.1. 1322 3.9. Contact Class 1324 The Contact class describes contact information for organizations and 1325 personnel involved in the incident. This class allows for the naming 1326 of the involved party, specifying contact information for them, and 1327 identifying their role in the incident. 1329 People and organizations are treated interchangeably as contacts; one 1330 can be associated with the other using the recursive definition of 1331 the class (the Contact class is aggregated into the Contact class). 1332 The 'type' attribute disambiguates the type of contact information 1333 being provided. 1335 The recursive definition of Contact provides a way to relate 1336 information without requiring the explicit use of identifiers or 1337 duplication of data. A complete point of contact is derived by a 1338 particular traversal from the root Contact class to the leaf Contact 1339 class. Each child Contact class logically inherits contact 1340 information from its ancestors. 1342 +------------------------+ 1343 | Contact | 1344 +------------------------+ 1345 | ENUM role |<>--{0..*}--[ ContactName ] 1346 | STRING ext-role |<>--{0..*}--[ ContactTitle ] 1347 | ENUM type |<>--{0..*}--[ Description ] 1348 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1349 | ENUM restriction |<>--{0..*}--[ PostalAddress ] 1350 | STRING ext-restriction |<>--{0..*}--[ Email ] 1351 | |<>--{0..*}--[ Telephone ] 1352 | |<>--{0..1}--[ Timezone ] 1353 | |<>--{0..*}--[ Contact ] 1354 | |<>--{0..*}--[ AdditionalData ] 1355 +------------------------+ 1357 Figure 12: The Contact Class 1359 The aggregate classes of the Contact class are: 1361 ContactName 1362 Zero or more. ML_STRING. The name of the contact. The contact 1363 may either be an organization or a person. The type attribute 1364 disambiguates the semantics. 1366 ContactTitle 1367 Zero or more. ML_STRING. The title for the individual named in 1368 the ContactName. 1370 Description 1371 Zero or more. ML_STRING. A free-form text description of the 1372 contact. 1374 RegistryHandle 1375 Zero or more. A handle name into the registry of the contact. 1376 See Section 3.9.1. 1378 PostalAddress 1379 Zero or more. The postal address of the contact. See 1380 Section 3.9.2. 1382 Email 1383 Zero or more. The email address of the contact. See 1384 Section 3.9.3. 1386 Telephone 1387 Zero or more. The telephone number of the contact. See 1388 Section 3.9.4. 1390 Timezone 1391 Zero or one. TIMEZONE. The timezone in which the contact 1392 resides. 1394 Contact 1395 Zero or more. A recursive definition of the Contact class. This 1396 definition can be used to group common data pertaining to multiple 1397 points of contact and is especially useful when listing multiple 1398 contacts at the same organization. 1400 AdditionalData 1401 Zero or more. EXTENSION. A mechanism by which to extend the data 1402 model. 1404 At least one of the aggregate classes MUST be present in an instance 1405 of the Contact class. 1407 The attributes of the Contact class are: 1409 role 1410 Required. ENUM. Indicates the role the contact fulfills. These 1411 values are maintained in the "Contact-role" IANA registry per 1412 Section 10.2. 1414 1. creator. The entity that generate the document. 1416 2. reporter. The entity that reported the information. 1418 3. admin. An administrative contact or business owner for an 1419 asset or organization. 1421 4. tech. An entity responsible for the day-to-day management of 1422 technical issues for an asset or organization. 1424 5. provider. An external hosting provider for an asset. 1426 6. user. An end-user of an asset or part of an organization. 1428 7. billing. An entity responsible for billing issues for an 1429 asset or organization. 1431 8. legal. An entity responsible for legal issue related to an 1432 asset or organization. 1434 9. irt. An entity responsible for handling security issues for 1435 an asset or organization. 1437 10. abuse. An entity responsible for handling abuse originating 1438 from an asset or organization. 1440 11. cc. An entity that is to be kept informed about the events 1441 related to an asset or organization. 1443 12. cc-irt. A CSIRT or information sharing organization 1444 coordinating activity related to an asset or organization. 1446 13. leo. A law enforcement organization supporting the 1447 investigation of activity affecting an asset or organization. 1449 14. vendor. The vendor that produces an asset. 1451 15. vendor-support. A vendor that provides services. 1453 16. victim. A victim in the incident. 1455 17. victim-notified. A victim in the incident who has been 1456 notified. 1458 18. ext-value. A value used to indicate that this attribute is 1459 extended and the actual value is provided using the 1460 corresponding ext-* attribute. See Section 5.1.1. 1462 ext-role 1463 Optional. STRING. A means by which to extend the role attribute. 1464 See Section 5.1.1. 1466 type 1467 Required. ENUM. Indicates the type of contact being described. 1468 This attribute is defined as an enumerated list. These values are 1469 maintained in the "Contact-type" IANA registry per Section 10.2. 1471 1. person. The information for this contact references an 1472 individual. 1474 2. organization. The information for this contact references an 1475 organization. 1477 3. ext-value. A value used to indicate that this attribute is 1478 extended and the actual value is provided using the 1479 corresponding ext-* attribute. See Section 5.1.1. 1481 ext-type 1482 Optional. STRING. A means by which to extend the type attribute. 1483 See Section 5.1.1. 1485 restriction 1486 Optional. ENUM. See Section 3.3.1. 1488 ext-restriction 1489 Optional. STRING. A means by which to extend the restriction 1490 attribute. See Section 5.1.1. 1492 3.9.1. RegistryHandle Class 1494 The RegistryHandle class represents a handle into an Internet 1495 registry or community-specific database. 1497 +---------------------+ 1498 | RegistryHandle | 1499 +---------------------+ 1500 | STRING | 1501 | | 1502 | ENUM registry | 1503 | STRING ext-registry | 1504 +---------------------+ 1506 Figure 13: The RegistryHandle Class 1508 The content of the class is a handle into a registry of type STRING. 1510 The attributes of the RegistryHandle class are: 1512 registry 1513 Required. ENUM. The database to which the handle belongs. These 1514 values are maintained in the "RegistryHandle-registry" IANA 1515 registry per Section 10.2. The possible values are: 1517 1. internic. Internet Network Information Center 1519 2. apnic. Asia Pacific Network Information Center 1521 3. arin. American Registry for Internet Numbers 1523 4. lacnic. Latin-American and Caribbean IP Address Registry 1525 5. ripe. Reseaux IP Europeens 1527 6. afrinic. African Internet Numbers Registry 1529 7. local. A database local to the CSIRT 1531 8. ext-value. A value used to indicate that this attribute is 1532 extended and the actual value is provided using the 1533 corresponding ext-* attribute. See Section 5.1.1. 1535 ext-registry 1536 Optional. STRING. A means by which to extend the registry 1537 attribute. See Section 5.1.1. 1539 3.9.2. PostalAddress Class 1541 The PostalAddress class specifies an postal address and associated 1542 annotation. 1544 +--------------------+ 1545 | PostalAddress | 1546 +--------------------+ 1547 | ENUM type |<>----------[ PAddress ] 1548 | STRING ext-type |<>--{0..*}--[ Description ] 1549 +--------------------+ 1551 Figure 14: The PostalAddress Class 1553 The aggregate classes of the PostalAddress class are: 1555 PAddress 1556 One. POSTAL. A postal address. 1558 Description 1559 Zero or more. ML_STRING. A free-form text description of the 1560 address. 1562 The attributes of the PostalAddress class are: 1564 type 1565 Optional. ENUM. Categorizes the type of address described in the 1566 PAddress class. These values are maintained in the 1567 "PostalAddress-type" IANA registry per Section 10.2. 1569 1. street. An address describing a physical location. 1571 2. mailing. An address to which correspondence should be sent. 1573 3. ext-value. A value used to indicate that this attribute is 1574 extended and the actual value is provided using the 1575 corresponding ext-* attribute. See Section 5.1.1. 1577 ext-type 1578 Optional. STRING. A means by which to extend the type attribute. 1579 See Section 5.1.1. 1581 3.9.3. Email Class 1583 The Email class specifies an email address and associated annotation. 1585 +--------------------+ 1586 | Email | 1587 +--------------------+ 1588 | ENUM type |<>----------[ EmailTo ] 1589 | STRING ext-type |<>--{0..*}--[ Description ] 1590 +--------------------+ 1592 Figure 15: The Email Class 1594 The aggregate classes of the Email class are: 1596 EmailTo 1597 One. EMAIL. An email address. 1599 Description 1600 Zero or more. ML_STRING. A free-form text description of the 1601 email address. 1603 The attributes of the Email class are: 1605 type 1606 Optional. ENUM. Categorizes the type of email address described 1607 in the EmailTo class. These values are maintained in the "Email- 1608 type" IANA registry per Section 10.2. 1610 1. direct. A email address of an individual. 1612 2. hotline. A email address regularly monitored for operational 1613 purposes. 1615 3. ext-value. A value used to indicate that this attribute is 1616 extended and the actual value is provided using the 1617 corresponding ext-* attribute. See Section 5.1.1. 1619 ext-type 1620 Optional. STRING. A means by which to extend the type attribute. 1621 See Section 5.1.1. 1623 3.9.4. Telephone Class 1625 The Telephone class describes a telephone number and associated 1626 annotation. 1628 +--------------------+ 1629 | Telephone | 1630 +--------------------+ 1631 | ENUM type |<>----------[ TelephoneNumber ] 1632 | STRING ext-type |<>--{0..*}--[ Description ] 1633 +--------------------+ 1635 Figure 16: The Telephone Class 1637 The aggregate classes of the Telephone class are: 1639 TelephoneNumber 1640 One. PHONE. A telephone number. 1642 Description 1643 Zero or more. ML_STRING. A free-form text description of the 1644 phone number. 1646 The attributes of the Telephone class are: 1648 type 1649 Optional. ENUM. Categorizes the type of telephone number 1650 described in the TelephoneNumber class. These values are 1651 maintained in the "Telephone-type" IANA registry per Section 10.2. 1653 1. wired. A number of a wire-line (land-line) phone. 1655 2. mobile. A number of a mobile phone. 1657 3. fax. A number to a fax machine. 1659 4. hotline. A number to a regularly monitored operational 1660 hotline. 1662 5. ext-value. A value used to indicate that this attribute is 1663 extended and the actual value is provided using the 1664 corresponding ext-* attribute. See Section 5.1.1. 1666 ext-type 1667 Optional. STRING. A means by which to extend the type attribute. 1668 See Section 5.1.1. 1670 3.10. Discovery Class 1672 The Discovery class describes how an incident was detected. 1674 +------------------------+ 1675 | Discovery | 1676 +------------------------+ 1677 | ENUM source |<>--{0..*}--[ Description ] 1678 | STRING ext-source |<>--{0..*}--[ Contact ] 1679 | ENUM restriction |<>--{0..*}--[ DetectionPattern ] 1680 | STRING ext-restriction | 1681 +------------------------+ 1683 Figure 17: The Discovery Class 1685 The aggregate classes of the Discovery class are: 1687 Description 1688 Zero or more. ML_STRING. A free-form text description of how 1689 this incident was detected. 1691 Contact 1692 Zero or more. Contact information for the party that discovered 1693 the incident. See Section 3.9. 1695 DetectionPattern 1696 Zero or more. Describes an application-specific configuration 1697 that detected the incident. See Section 3.10.1. 1699 The attributes of the Discovery class are: 1701 source 1702 Optional. ENUM. Categorizes the techniques used to discover the 1703 incident. These values are partially derived from Table 3-1 of 1704 [NIST800.61rev2]. These values are maintained in the "Discovery- 1705 source" IANA registry per Section 10.2. 1707 1. nidps. Network Intrusion Detection or Prevention system. 1709 2. hips. Host-based Intrusion Prevention system. 1711 3. siem. Security Information and Event Management System. 1713 4. av. Antivirus or and antispam software. 1715 5. third-party-monitoring. Contracted third-party monitoring 1716 service. 1718 6. incident. The activity was discovered while investigating an 1719 unrelated incident. 1721 7. os-log. Operating system logs. 1723 8. application-log. Application logs. 1725 9. device-log. Network device logs. 1727 10. network-flow. Network flow analysis. 1729 11. passive-dns. Passive DNS analysis. 1731 12. investigation. Manual investigation initiated based on 1732 notification of a new vulnerability or exploit. 1734 13. audit. Security audit. 1736 14. internal-notification. A party within the organization 1737 reported the activity 1739 15. external-notification. A party outside of the organization 1740 reported the activity. 1742 16. leo. A law enforcement organization notified the victim 1743 organization. 1745 17. partner. A customer or business partner reported the 1746 activity to the victim organization. 1748 18. actor. The threat actor directly or indirectly reported this 1749 activity to the victim organization. 1751 19. unknown. Unknown detection approach. 1753 20. ext-value. A value used to indicate that this attribute is 1754 extended and the actual value is provided using the 1755 corresponding ext-* attribute. See Section 5.1.1. 1757 ext-source 1758 Optional. STRING. A means by which to extend the source 1759 attribute. See Section 5.1.1. 1761 restriction 1762 Optional. ENUM. See Section 3.3.1. 1764 ext-restriction 1765 Optional. STRING. A means by which to extend the restriction 1766 attribute. See Section 5.1.1. 1768 3.10.1. DetectionPattern Class 1770 The DetectionPattern class describes a configuration or signature 1771 that can be used by an IDS/IPS, SIEM, anti-virus, end-point 1772 protection, network analysis, malware analysis, or host forensics 1773 tool to identify a particular phenomenon. This class requires the 1774 identification of the target application and allows the configuration 1775 to be described in either free-form or machine readable form. 1777 +------------------------+ 1778 | DetectionPattern | 1779 +------------------------+ 1780 | ENUM restriction |<>----------[ Application ] 1781 | STRING ext-restriction |<>--{0..*}--[ Description ] 1782 | ID observable-id |<>--{0..*}--[ DetectionConfiguration ] 1783 +------------------------+ 1785 Figure 18: The DetectionPattern Class 1787 The aggregate classes of the DetectionPattern class are: 1789 Application 1790 One. SOFTWARE. The application for which the 1791 DetectionConfiguration or Description is being provided. 1793 Description 1794 Zero or more. ML_STRING. A free-form text description of how to 1795 use the Application or provided DetectionConfiguration. 1797 DetectionConfiguration 1798 Zero or more. STRING. A machine consumable configuration to find 1799 a pattern of activity. 1801 Either an instance of the Description or DetectionConfiguration class 1802 MUST be present. 1804 The attributes of the DetectionPattern class are: 1806 restriction 1807 Optional. ENUM. See Section 3.3.1. 1809 ext-restriction 1810 Optional. STRING. A means by which to extend the restriction 1811 attribute. See Section 5.1.1. 1813 observable-id 1814 Optional. ID. See Section 3.3.2. 1816 3.11. Method Class 1818 The Method class describes the tactics, techniques, procedures or 1819 weakness used by the threat actor in an incident. This class 1820 consists of both a list of references describing the attack methods 1821 and weaknesses and a free-form text description. 1823 +------------------------+ 1824 | Method | 1825 +------------------------+ 1826 | ENUM restriction |<>--{0..*}--[ Reference ] 1827 | STRING ext-restriction |<>--{0..*}--[ Description ] 1828 | |<>--{0..*}--[ sci:AttackPattern ] 1829 | |<>--{0..*}--[ sci:Vulnerability ] 1830 | |<>--{0..*}--[ sci:Weakness ] 1831 | |<>--{0..*}--[ AdditionalData ] 1832 +------------------------+ 1834 Figure 19: The Method Class 1836 The aggregate classes of the Method class are: 1838 Reference 1839 Zero or more. A reference to a vulnerability, malware sample, 1840 advisory, or analysis of an attack technique. See Section 3.11.1. 1842 Description 1843 Zero or more. ML_STRING. A free-form text description of 1844 techniques, tactics, or procedures used by the threat actor. 1846 sci:AttackPattern 1847 Zero or more. A reference to an pattern of attack or exploitation 1848 per [RFC7203] 1850 sci:Vulnerability 1851 Zero or more. A reference to a vulnerability per [RFC7203] 1853 sci:Weakness 1854 Zero or more. A reference to the exploited weakness per [RFC7203] 1856 AdditionalData 1857 Zero or more. EXTENSION. A mechanism by which to extend the data 1858 model. 1860 An instance of one of these child MUST be present. 1862 The attributes of the Method class are: 1864 restriction 1865 Optional. ENUM. See Section 3.3.1. 1867 ext-restriction 1868 Optional. STRING. A means by which to extend the restriction 1869 attribute. See Section 5.1.1. 1871 3.11.1. Reference Class 1873 The Reference class is an external reference to relevant information 1874 such a vulnerability, IDS alert, malware sample, advisory, or attack 1875 technique. 1877 +-------------------------+ 1878 | Reference | 1879 +-------------------------+ 1880 | ID observable-id |<>--{0..1}--[ enum:ReferenceName ] 1881 | |<>--{0..*}--[ URL ] 1882 | |<>--{0..*}--[ Description ] 1883 +-------------------------+ 1885 Figure 20: The Reference Class 1887 The aggregate classes of the Reference class are: 1889 enum:ReferenceName 1890 Zero or one. Reference identifier per [RFC7495]. 1892 URL 1893 Zero or more. URL. A URL to a reference. 1895 Description 1896 Zero or more. ML_STRING. A free-form text description of this 1897 reference. 1899 At least one of these classes MUST be present. 1901 The attribute of the Reference class is: 1903 observable-id 1904 Optional. ID. See Section 3.3.2. 1906 3.12. Assessment Class 1908 The Assessment class describes the repercussions of the incident to 1909 the victim. 1911 +-------------------------+ 1912 | Assessment | 1913 +-------------------------+ 1914 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ] 1915 | ENUM restriction |<>--{0..*}--[ SystemImpact ] 1916 | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ] 1917 | ID observable-id |<>--{0..*}--[ TimeImpact ] 1918 | |<>--{0..*}--[ MonetaryImpact ] 1919 | |<>--{0..*}--[ IntendedImpact ] 1920 | |<>--{0..*}--[ Counter ] 1921 | |<>--{0..*}--[ MitigatingFactor ] 1922 | |<>--{0..*}--[ Cause ] 1923 | |<>--{0..1}--[ Confidence ] 1924 | |<>--{0..*}--[ AdditionalData ] 1925 +-------------------------+ 1927 Figure 21: Assessment Class 1929 The aggregate classes of the Assessment class are: 1931 IncidentCategory 1932 Zero or more. ML_STRING. A free-form text description 1933 categorizing the type of Incident. 1935 SystemImpact 1936 Zero or more. A technical characterization of the impact of the 1937 incident activity on the victim's enterprise. See Section 3.12.1. 1939 BusinessImpact 1940 Zero or more. Impact of the incident activity on the business 1941 functions of the victim organization. See Section 3.12.2. 1943 TimeImpact 1944 Zero or more. A characterization of the victim organization due 1945 to the incident activity as a function of time. See 1946 Section 3.12.3. 1948 MonetaryImpact 1949 Zero or more. The financial loss due to the incident activity. 1950 See Section 3.12.4. 1952 IntendedImpact 1953 Zero or more. The intended outcome to the victim sought by the 1954 threat actor. Defined identically to the BusinessImpact defined 1955 in Section 3.12.2, but describes intent rather than the realized 1956 impact. 1958 Counter 1959 Zero or more. A counter with which to summarize the magnitude of 1960 the activity. See Section 3.18.3. 1962 MitigatingFactor 1963 Zero or more. ML_STRING. A description of a mitigating factor 1964 relative to the impact on the victim organization. 1966 Cause 1967 Zero or more. ML_STRING. A description of an underlying cause of 1968 the impact. 1970 Confidence 1971 Zero or one. An estimate of confidence in the impact assessment. 1972 See Section 3.12.5. 1974 AdditionalData 1975 Zero or more. EXTENSION. A mechanism by which to extend the data 1976 model. 1978 A least one instance of the possible five impact classes (i.e., 1979 SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or 1980 IntendedImpact) MUST be present. 1982 The attributes of the Assessment class are: 1984 occurrence 1985 Optional. ENUM. Specifies whether the assessment is describing 1986 actual or potential outcomes. 1988 1. actual. This assessment describes activity that has occurred. 1990 2. potential. This assessment describes potential activity that 1991 might occur. 1993 restriction 1994 Optional. ENUM. See Section 3.3.1. 1996 ext-restriction 1997 Optional. STRING. A means by which to extend the restriction 1998 attribute. See Section 5.1.1. 2000 observable-id 2001 Optional. ID. See Section 3.3.2. 2003 3.12.1. SystemImpact Class 2005 The SystemImpact class describes the technical impact of the incident 2006 to the systems on the network. 2008 +-----------------------+ 2009 | SystemImpact | 2010 +-----------------------+ 2011 | ENUM severity |<>--{0..*}--[ Description ] 2012 | ENUM completion | 2013 | ENUM type | 2014 | STRING ext-type | 2015 +-----------------------+ 2017 Figure 22: SystemImpact Class 2019 The aggregate class of the SystemImpact class is: 2021 Description 2022 Zero or more. ML_STRING. A free-form text description of the 2023 impact to the system. 2025 The attributes of the SystemImpact class are: 2027 severity 2028 Optional. ENUM. An estimate of the relative severity of the 2029 activity. The permitted values are shown below. There is no 2030 default value. 2032 1. low. Low severity 2034 2. medium. Medium severity 2036 3. high. High severity 2038 completion 2039 Optional. ENUM. An indication whether the described activity was 2040 successful. The permitted values are shown below. There is no 2041 default value. 2043 1. failed. The attempted activity was not successful. 2045 2. succeeded. The attempted activity succeeded. 2047 type 2048 Required. ENUM. Classifies the impact. The permitted values are 2049 shown below. The default value is "unknown". These values are 2050 maintained in the "SystemImpact-type" IANA registry per 2051 Section 10.2. 2053 1. takeover-account. Control was taken of a given account. 2055 2. takeover-service. Control was taken of a given service. 2057 3. takeover-system. Control was taken of a given system. 2059 4. cps-manipulation. A cyber-physical system was manipulated. 2061 5. cps-damage. A cyber-physical system was damaged. 2063 6. availability-data. Access to particular data was degraded or 2064 denied. 2066 7. availability-account. Access to an account was degraded or 2067 denied. 2069 8. availability-service. Access to a service was degraded or 2070 denied. 2072 9. availability-system. Access to a system was degraded or 2073 denied. 2075 10. damaged-system. Hardware on a system was irreparably 2076 damaged. 2078 11. damaged-data. Data on a system was deleted. 2080 12. breach-proprietary. Sensitive or proprietary information was 2081 accessed or exfiltrated. 2083 13. breach-privacy. Personally identifiable information was 2084 accessed or exfiltrated. 2086 14. breach-credential. Credential information was accessed or 2087 exfiltrated. 2089 15. breach-configuration. System configuration or data inventory 2090 was access or exfiltrated. 2092 16. integrity-data. Data on the system was modified. 2094 17. integrity-configuration. Application or system configuration 2095 was modified. 2097 18. integrity-hardware. Firmware of a hardware component was 2098 modified. 2100 19. traffic-redirection. Network traffic on the system was 2101 redirected 2103 20. monitoring-traffic. Network traffic emerging from a host or 2104 enclave was monitored. 2106 21. monitoring-host. System activity (e.g., running processes, 2107 keystrokes) were monitored. 2109 22. policy. Activity violated the system owner's acceptable use 2110 policy. 2112 23. unknown. The impact is unknown. 2114 24. ext-value. A value used to indicate that this attribute is 2115 extended and the actual value is provided using the 2116 corresponding ext-* attribute. See Section 5.1.1. 2118 ext-type 2119 Optional. STRING. A means by which to extend the type attribute. 2120 See Section 5.1.1. 2122 3.12.2. BusinessImpact Class 2124 The BusinessImpact class describes and characterizes the degree to 2125 which the function of the organization was impacted by the Incident. 2127 +-------------------------+ 2128 | BusinessImpact | 2129 +-------------------------+ 2130 | ENUM severity |<>--{0..*}--[ Description ] 2131 | STRING ext-severity | 2132 | ENUM type | 2133 | STRING ext-type | 2134 +-------------------------+ 2136 Figure 23: BusinessImpact Class 2138 The aggregate class of the BusinessImpact class is: 2140 Description 2141 Zero or more. ML_STRING. A free-form text description of the 2142 impact to the organization. 2144 The attributes of the BusinessImpact class are: 2146 severity 2147 Optional. ENUM. Characterizes the severity of the incident on 2148 business functions. The permitted values are shown below. They 2149 were derived from Table 3-2 of [NIST800.61rev2]. The default 2150 value is "unknown". These values are maintained in the 2151 "BusinessImpact-severity" IANA registry per Section 10.2. 2153 1. none. No effect to the organization's ability to provide all 2154 services to all users. 2156 2. low. Minimal effect as the organization can still provide all 2157 critical services to all users but has lost efficiency. 2159 3. medium. The organization has lost the ability to provide a 2160 critical service to a subset of system users. 2162 4. high. The organization is no longer able to provide some 2163 critical services to any users. 2165 5. unknown. The impact is not known. 2167 6. ext-value. A value used to indicate that this attribute is 2168 extended and the actual value is provided using the 2169 corresponding ext-* attribute. See Section 5.1.1. 2171 ext-severity 2172 Optional. STRING. A means by which to extend the severity 2173 attribute. See Section 5.1.1. 2175 type 2176 Required. ENUM. Characterizes the effect this incident had on 2177 the business. The permitted values are shown below. The default 2178 value is "unknown". These values are maintained in the 2179 "BusinessImpact-type" IANA registry per Section 10.2. 2181 1. breach-proprietary. Sensitive or proprietary information was 2182 accessed or exfiltrated. 2184 2. breach-privacy. Personally identifiable information was 2185 accessed or exfiltrated. 2187 3. breach-credential. Credential information was accessed or 2188 exfiltrated. 2190 4. loss-of-integrity. Sensitive or proprietary information was 2191 changed or deleted. 2193 5. loss-of-service. Service delivery was disrupted. 2195 6. theft-financial. Money was stolen. 2197 7. theft-service. Services were misappropriated. 2199 8. degraded-reputation. The reputation of the organization's 2200 brand was diminished. 2202 9. asset-damage. A cyber-physical system was damaged. 2204 10. asset-manipulation. A cyber-physical system was manipulated. 2206 11. legal. The incident resulted in legal or regulatory action. 2208 12. extortion. The incident resulted in actors extorting the 2209 victim organization. 2211 13. unknown. The impact is unknown. 2213 14. ext-value. A value used to indicate that this attribute is 2214 extended and the actual value is provided using the 2215 corresponding ext-* attribute. See Section 5.1.1. 2217 ext-type 2218 Optional. STRING. A means by which to extend the type attribute. 2219 See Section 5.1.1. 2221 3.12.3. TimeImpact Class 2223 The TimeImpact class describes the impact of the incident on an 2224 organization as a function of time. It provides a way to convey down 2225 time and recovery time. 2227 +---------------------+ 2228 | TimeImpact | 2229 +---------------------+ 2230 | REAL | 2231 | | 2232 | ENUM severity | 2233 | ENUM metric | 2234 | STRING ext-metric | 2235 | ENUM duration | 2236 | STRING ext-duration | 2237 +---------------------+ 2239 Figure 24: TimeImpact Class 2241 The content of the class is of type REAL and specifies an amount of 2242 time. The duration attribute provides units for this content; and 2243 the metric attribute explains what this content is measuring. 2245 The attributes of the TimeImpact class are: 2247 severity 2248 Optional. ENUM. An estimate of the relative severity of the 2249 activity. The permitted values are shown below. There is no 2250 default value. 2252 1. low. Low severity 2254 2. medium. Medium severity 2256 3. high. High severity 2258 metric 2259 Required. ENUM. Defines the meaning of the value in the element 2260 content. These values are maintained in the "TimeImpact-metric" 2261 IANA registry per Section 10.2. 2263 1. labor. Total staff-time to recovery from the activity (e.g., 2264 2 employees working 4 hours each would be 8 hours). 2266 2. elapsed. Elapsed time from the beginning of the recovery to 2267 its completion (i.e., wall-clock time). 2269 3. downtime. Duration of time for which some provided service(s) 2270 was not available. 2272 4. ext-value. A value used to indicate that this attribute is 2273 extended and the actual value is provided using the 2274 corresponding ext-* attribute. See Section 5.1.1. 2276 ext-metric 2277 Optional. STRING. A means by which to extend the metric 2278 attribute. See Section 5.1.1. 2280 duration 2281 Optional. ENUM. Defines the unit of time for the value in the 2282 element content. The default value is "hour". These values are 2283 maintained in the "TimeImpact-duration" IANA registry per 2284 Section 10.2. 2286 1. second. The unit of the element content is seconds. 2288 2. minute. The unit of the element content is minutes. 2290 3. hour. The unit of the element content is hours. 2292 4. day. The unit of the element content is days. 2294 5. month. The unit of the element content is months. 2296 6. quarter. The unit of the element content is quarters. 2298 7. year. The unit of the element content is years. 2300 8. ext-value. A value used to indicate that this attribute is 2301 extended and the actual value is provided using the 2302 corresponding ext-* attribute. See Section 5.1.1. 2304 ext-duration 2305 Optional. STRING. A means by which to extend the duration 2306 attribute. See Section 5.1.1. 2308 3.12.4. MonetaryImpact Class 2310 The MonetaryImpact class describes the financial impact of the 2311 activity on an organization. For example, this impact may consider 2312 losses due to the cost of the investigation or recovery, diminished 2313 productivity of the staff, or a tarnished reputation that will affect 2314 future opportunities. 2316 +------------------+ 2317 | MonetaryImpact | 2318 +------------------+ 2319 | REAL | 2320 | | 2321 | ENUM severity | 2322 | STRING currency | 2323 +------------------+ 2325 Figure 25: MonetaryImpact Class 2327 The content of the class is of type REAL and specifies a quantity of 2328 money. The currency attribute defines the currently of this value. 2330 The attributes of the MonetaryImpact class are: 2332 severity 2333 Optional. ENUM. An estimate of the relative severity of the 2334 activity. The permitted values are shown below. There is no 2335 default value. 2337 1. low. Low severity 2339 2. medium. Medium severity 2341 3. high. High severity 2343 currency 2344 Optional. STRING. Defines the currency in which the value in the 2345 element content is expressed. The permitted values are defined in 2346 "Codes for the representation of currencies and funds" of 2347 [ISO4217]. There is no default value. 2349 3.12.5. Confidence Class 2351 The Confidence class represents an estimate of the validity and 2352 accuracy of data expressed in the document. This estimate can be 2353 expressed as a category or a numeric calculation. 2355 +-------------------+ 2356 | Confidence | 2357 +-------------------+ 2358 | REAL | 2359 | | 2360 | ENUM rating | 2361 | STRING ext-rating | 2362 +-------------------+ 2364 Figure 26: Confidence Class 2366 The content of the class is of type REAL and specifies a numerical 2367 assessment in the confidence of the data when the value of the rating 2368 attribute is "numeric". Otherwise, this element MUST be empty. 2370 The attributes of the Confidence class are: 2372 rating 2373 Required. ENUM. A qualitative assessment of confidence. These 2374 values are maintained in the "Confidence-rating" IANA registry per 2375 Section 10.2 2377 1. low. Low confidence. 2379 2. medium. Medium confidence. 2381 3. high. High confidence. 2383 4. numeric. The element content contains a number that conveys 2384 the confidence of the data. The semantics of this number 2385 outside the scope of this specification. 2387 5. unknown. The confidence rating value is not known. 2389 6. ext-value. A value used to indicate that this attribute is 2390 extended and the actual value is provided using the 2391 corresponding ext-* attribute. See Section 5.1.1. 2393 ext-rating 2394 Optional. STRING. A means by which to extend the rating 2395 attribute. See Section 5.1.1. 2397 3.13. History Class 2399 The History class is a log of the significant events or actions 2400 performed by the involved parties during the course of handling the 2401 incident. 2403 The level of detail maintained in this log is left up to the 2404 discretion of those handling the incident. 2406 +------------------------+ 2407 | History | 2408 +------------------------+ 2409 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 2410 | STRING ext-restriction | 2411 +------------------------+ 2413 Figure 27: The History Class 2415 The aggregate classes of the History class are: 2417 HistoryItem 2418 One or more. An entry in the history log of significant events or 2419 actions performed by the involved parties. See Section 3.13.1. 2421 The attributes of the History class are: 2423 restriction 2424 Optional. ENUM. See Section 3.3.1. 2426 ext-restriction 2427 Optional. STRING. A means by which to extend the restriction 2428 attribute. See Section 5.1.1. 2430 3.13.1. HistoryItem Class 2432 The HistoryItem class is an entry in the History (Section 3.13) log 2433 that documents a particular action or event that occurred in the 2434 course of handling the incident. The details of the entry are a 2435 free-form text description, but each can be categorized with the type 2436 attribute. 2438 +-------------------------+ 2439 | HistoryItem | 2440 +-------------------------+ 2441 | ENUM action |<>----------[ DateTime ] 2442 | STRING ext-action |<>--{0..1}--[ IncidentID ] 2443 | ENUM restriction |<>--{0..1}--[ Contact ] 2444 | STRING ext-restriction |<>--{0..*}--[ Description ] 2445 | ID observable-id |<>--{0..*}--[ DefinedCOA ] 2446 | |<>--{0..*}--[ AdditionalData ] 2447 +-------------------------+ 2449 Figure 28: HistoryItem Class 2451 The aggregate classes of the HistoryItem class are: 2453 DateTime 2454 One. DATETIME. A timestamp of this entry in the history log. 2456 IncidentID 2457 Zero or One. In a history log created by multiple parties, the 2458 IncidentID provides a mechanism to specify which CSIRT created a 2459 particular entry and references this organization's tracking 2460 number. When a single organization is maintaining the log, this 2461 class can be ignored. See Section 3.4. 2463 Contact 2464 Zero or One. Provides contact information for the entity that 2465 performed the action documented in this class. See Section 3.9. 2467 Description 2468 Zero or more. ML_STRING. A free-form text description of the 2469 action or event. 2471 DefinedCOA 2472 Zero or more. STRING. An identifier meaningful to the sender and 2473 recipient of this document that references a course of action 2474 (COA). This class MUST be present if the action attribute is set 2475 to "defined-coa". 2477 AdditionalData 2478 Zero or more. EXTENSION. A mechanism by which to extend the data 2479 model. 2481 The attributes of the HistoryItem class are: 2483 action 2484 Required. ENUM. Classifies a performed action or occurrence 2485 documented in this history log entry. As activity will likely 2486 have been instigated either through a previously conveyed 2487 expectation or internal investigation. This attribute is 2488 identical to the action attribute of the Expectation class. The 2489 difference is only one of tense. When an action is in this class, 2490 it has been completed. See Section 3.15. 2492 ext-action 2493 Optional. STRING. A means by which to extend the action 2494 attribute. See Section 5.1.1. 2496 restriction 2497 Optional. ENUM. See Section 3.3.1. 2499 ext-restriction 2500 Optional. STRING. A means by which to extend the restriction 2501 attribute. See Section 5.1.1. 2503 observable-id 2504 Optional. ID. See Section 3.3.2. 2506 3.14. EventData Class 2508 The EventData class is a container class to organize data about 2509 events that occurred during an incident. 2511 +-------------------------+ 2512 | EventData | 2513 +-------------------------+ 2514 | ENUM restriction |<>--{0..*}--[ Description ] 2515 | STRING ext-restriction |<>--{0..1}--[ DetectTime ] 2516 | ID observable-id |<>--{0..1}--[ StartTime ] 2517 | |<>--{0..1}--[ EndTime ] 2518 | |<>--{0..1}--[ RecoveryTime ] 2519 | |<>--{0..1}--[ ReportTime ] 2520 | |<>--{0..*}--[ Contact ] 2521 | |<>--{0..*}--[ Discovery ] 2522 | |<>--{0..1}--[ Assessment ] 2523 | |<>--{0..*}--[ Method ] 2524 | |<>--{0..*}--[ Flow ] 2525 | |<>--{0..*}--[ Expectation ] 2526 | |<>--{0..1}--[ Record ] 2527 | |<>--{0..*}--[ EventData ] 2528 | |<>--{0..*}--[ AdditionalData ] 2529 +-------------------------+ 2531 Figure 29: The EventData Class 2533 The aggregate classes of the EventData class are: 2535 Description 2536 Zero or more. ML_STRING. A free-form text description of the 2537 event. 2539 DetectTime 2540 Zero or one. DATETIME. The time the event was detected. 2542 StartTime 2543 Zero or one. DATETIME. The time the event started. 2545 EndTime 2546 Zero or one. DATETIME. The time the event ended. 2548 RecoveryTime 2549 Zero or one. DATETIME. The time the site recovered from the 2550 event. 2552 ReportTime 2553 Zero or one. DATETIME. The time the event was reported. 2555 Contact 2556 Zero or more. Contact information for the parties involved in the 2557 event. See Section 3.9. 2559 Discovery 2560 Zero or more. The means by which the event was detected. See 2561 Section 3.10. 2563 Assessment 2564 Zero or one. The impact of the event on the victim and the 2565 actions taken. See Section 3.12. 2567 Method 2568 Zero or more. The technique used by the threat actor in the 2569 event. See Section 3.11. 2571 Flow 2572 Zero or more. A description of the systems or networks involved. 2573 See Section 3.16. 2575 Expectation 2576 Zero or more. The expected action to be performed by the 2577 recipient for the described event. See Section 3.15. 2579 Record 2580 Zero or one. Supportive data (e.g., log files) that provides 2581 additional information about the event. See Section 3.22. 2583 EventData 2584 Zero or more. A recursive definition of the EventData class. See 2585 Section 3.14.2 for an explanation on using this class. 2587 AdditionalData 2588 Zero or more. EXTENSION. An extension mechanism for data not 2589 explicitly represented in the data model. 2591 At least one of the aggregate classes MUST be present in an instance 2592 of the EventData class. 2594 The attributes of the EventData class are: 2596 restriction 2597 Optional. ENUM. See Section 3.3.1. The default value is 2598 "default". 2600 ext-restriction 2601 Optional. STRING. A means by which to extend the restriction 2602 attribute. See Section 5.1.1. 2604 observable-id 2605 Optional. ID. See Section 3.3.2. 2607 3.14.1. Relating the Incident and EventData Classes 2609 There is substantial overlap in the child classes aggregated in the 2610 Incident and EventData classes. Nevertheless, the semantics of these 2611 classes are quite different. The Incident class provides summary 2612 information about the entire incident, while the EventData class 2613 provides information about the individual events comprising the 2614 incident. In the common case, the EventData class will provide more 2615 specific information for the general description provided in the 2616 Incident class. However, in the case where the summarized 2617 information in the Incident class conflicts the detailed information 2618 in an EventData class the more specific EventData class MUST 2619 supersede the more generic information provided in Incident class. 2621 3.14.2. Recursive Definition of EventData 2623 The EventData class is container for the properties of an event in an 2624 incident. These properties include: the hosts involved, impact of 2625 the incident activity on the hosts, forensic logs, etc. The 2626 recursive definition of EventData allows for the grouping of related 2627 information with common properties. This approach eliminates the 2628 need for explicit identifiers to relate information or duplicate it. 2629 Instead, the relative depth (nesting) of a class is used to group 2630 (relate) information. 2632 For example, consider a case where two hosts experience different 2633 impacts during an incident. However, these two hosts have common 2634 contact information. A depiction of how this situation would be 2635 represented can be found in Figure 30. EventData (2) and (3) group 2636 each of the two hosts with their unique impact. EventData (1) 2637 describes the common Contact class these two hosts share. 2639 +------------------+ 2640 | EventData (1) | 2641 +------------------+ 2642 | |<>----[ Contact ] 2643 | | 2644 | |<>----[ EventData (2) ]<>----[ Flow ] 2645 | | [ ]<>----[ Assessment ] 2646 | | 2647 | |<>----[ EventData (3) ]<>----[ Flow ] 2648 | | [ ]<>----[ Assessment ] 2649 +------------------+ 2651 Figure 30: Recursion in the EventData Class 2653 3.15. Expectation Class 2655 The Expectation class conveys to the recipient of the IODEF document 2656 the actions the sender is requesting. 2658 +-------------------------+ 2659 | Expectation | 2660 +-------------------------+ 2661 | ENUM action |<>--{0..*}--[ Description ] 2662 | STRING ext-action |<>--{0..*}--[ DefinedCOA ] 2663 | ENUM severity |<>--{0..1}--[ StartTime ] 2664 | ENUM restriction |<>--{0..1}--[ EndTime ] 2665 | STRING ext-restriction |<>--{0..1}--[ Contact ] 2666 | ID observable-id | 2667 +-------------------------+ 2669 Figure 31: The Expectation Class 2671 The aggregate classes of the Expectation class are: 2673 Description 2674 Zero or more. ML_STRING. A free-form text description of the 2675 desired action(s). 2677 DefinedCOA 2678 Zero or more. STRING. A unique identifier meaningful to the 2679 sender and recipient of this document that references a course of 2680 action. This class MUST be present if the action attribute is set 2681 to "defined-coa". 2683 StartTime 2684 Zero or one. DATETIME. The time at which the sender would like 2685 the action performed. A timestamp that is earlier than the 2686 ReportTime specified in the Incident class denotes that the sender 2687 would like the action performed as soon as possible. The absence 2688 of this element indicates no expectations of when the recipient 2689 would like the action performed. 2691 EndTime 2692 Zero or one. DATETIME. The time by which the sender expects the 2693 recipient to complete the action. If the recipient cannot 2694 complete the action before EndTime, the recipient MUST NOT carry 2695 out the action. Because of transit delays and clock drift the 2696 sender MUST be prepared for the recipient to have carried out the 2697 action, even if it completes past EndTime. 2699 Contact 2700 Zero or one. The entity expected to perform the action. See 2701 Section 3.9. 2703 The attributes of the Expectation class are: 2705 action 2706 Optional. ENUM. Classifies the type of action requested. The 2707 default value of "other". These values are maintained in the 2708 "Expectation-action" IANA registry per Section 10.2. 2710 1. nothing. No action is requested. Do nothing with the 2711 information. 2713 2. contact-source-site. Contact the site(s) identified as the 2714 source of the activity. 2716 3. contact-target-site. Contact the site(s) identified as the 2717 target of the activity. 2719 4. contact-sender. Contact the originator of the document. 2721 5. investigate. Investigate the systems(s) listed in the event. 2723 6. block-host. Block traffic from the machine(s) listed as 2724 sources the event. 2726 7. block-network. Block traffic from the network(s) lists as 2727 sources in the event. 2729 8. block-port. Block the port listed as sources in the event. 2731 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2732 listed as sources in the event. 2734 10. rate-limit-network. Rate-limit the traffic from the 2735 network(s) lists as sources in the event. 2737 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2738 the event. 2740 12. redirect-traffic. Redirect traffic from the intended 2741 recipient for further analysis. 2743 13. honeypot. Redirect traffic from systems listed in the event 2744 to a honeypot for further analysis. 2746 14. upgrade-software. Upgrade or patch the software or firmware 2747 on an asset listed in the event. 2749 15. rebuild-asset. Reinstall the operating system or 2750 applications on an asset listed in the event. 2752 16. harden-asset. Change the configuration an asset listed in 2753 the event to reduce the attack surface. 2755 17. remediate-other. Remediate the activity in a way other than 2756 by rate limiting or blocking. 2758 18. status-triage. Confirm receipt and begin triaging the 2759 incident. 2761 19. status-new-info. Notify the sender when new information is 2762 received for this incident. 2764 20. watch-and-report. Watch for the described activity or 2765 indicators; and notify the sender when seen. 2767 21. training. Train user to identify or mitigate the described 2768 threat. 2770 22. defined-coa. Perform a predefined course of action (COA). 2771 The COA is named in the DefinedCOA class. 2773 23. other. Perform a custom action described in the Description 2774 class. 2776 24. ext-value. A value used to indicate that this attribute is 2777 extended and the actual value is provided using the 2778 corresponding ext-* attribute. See Section 5.1.1. 2780 ext-action 2781 Optional. STRING. A means by which to extend the action 2782 attribute. See Section 5.1.1. 2784 severity 2785 Optional. ENUM. Indicates the desired priority of the action. 2786 This attribute is an enumerated list with no default value, and 2787 the semantics of these relative measures are context dependent. 2789 1. low. Low priority 2791 2. medium. Medium priority 2793 3. high. High priority 2795 restriction 2796 Optional. ENUM. See Section 3.3.1. The default value is 2797 "default". 2799 ext-restriction 2800 Optional. STRING. A means by which to extend the restriction 2801 attribute. See Section 5.1.1. 2803 observable-id 2804 Optional. ID. See Section 3.3.2. 2806 3.16. Flow Class 2808 The Flow class describes the systems and networks involved in the 2809 incident; and the relationships between them. 2811 +------------------+ 2812 | Flow | 2813 +------------------+ 2814 | |<>--{1..*}--[ System ] 2815 +------------------+ 2817 Figure 32: The Flow Class 2819 The aggregate class of the Flow class is: 2821 System 2822 One or More. A host or network involved in an event. See 2823 Section 3.17. 2825 The Flow class has no attributes. 2827 3.17. System Class 2829 The System class describes a system or network involved in an event. 2831 +------------------------+ 2832 | System | 2833 +------------------------+ 2834 | ENUM category |<>----------[ Node ] 2835 | STRING ext-category |<>--{0..*}--[ NodeRole ] 2836 | STRING interface |<>--{0..*}--[ Service ] 2837 | ENUM spoofed |<>--{0..*}--[ OperatingSystem ] 2838 | ENUM virtual |<>--{0..*}--[ Counter ] 2839 | ENUM ownership |<>--{0..*}--[ AssetID ] 2840 | STRING ext-ownership |<>--{0..*}--[ Description ] 2841 | ENUM restriction |<>--{0..*}--[ AdditionalData ] 2842 | STRING ext-restriction | 2843 | ID observable-id | 2844 +------------------------+ 2846 Figure 33: The System Class 2848 The aggregate classes of the System class are: 2850 Node 2851 One. A host or network involved in the incident. See 2852 Section 3.18. 2854 NodeRole 2855 Zero or more. The intended purpose of the system. See 2856 Section 3.18.2. 2858 Service 2859 Zero or more. A network service running on the system. See 2860 Section 3.20. 2862 OperatingSystem 2863 Zero or more. SOFTWARE. The operating system running on the 2864 system. 2866 Counter 2867 Zero or more. A counter with which to summarize properties of 2868 this host or network. See Section 3.18.3. 2870 AssetID 2871 Zero or more. STRING. An asset identifier for the System. 2873 Description 2874 Zero or more. ML_STRING. A free-form text description of the 2875 System. 2877 AdditionalData 2878 Zero or more. EXTENSION. A mechanism by which to extend the data 2879 model. 2881 The attributes of the System class are: 2883 category 2884 Optional. ENUM. Classifies the role the host or network played 2885 in the incident. These values are maintained in the "System- 2886 category" IANA registry per Section 10.2. 2888 1. source. The System was the source of the event. 2890 2. target. The System was the target of the event. 2892 3. intermediate. The System was an intermediary in the event. 2894 4. sensor. The System was a sensor monitoring the event. 2896 5. infrastructure. The System was an infrastructure node of 2897 IODEF document exchange. 2899 6. ext-value. A value used to indicate that this attribute is 2900 extended and the actual value is provided using the 2901 corresponding ext-* attribute. See Section 5.1.1. 2903 ext-category 2904 Optional. STRING. A means by which to extend the category 2905 attribute. See Section 5.1.1. 2907 interface 2908 Optional. STRING. Specifies the interface on which the event(s) 2909 on this System originated. If the Node class specifies a network 2910 rather than a host, this attribute has no meaning. 2912 spoofed 2913 Optional. ENUM. An indication of confidence in whether this 2914 System was the true target or attacking host. The permitted 2915 values for this attribute are shown below. The default value is 2916 "unknown". 2918 1. unknown. The accuracy of the category attribute value is 2919 unknown. 2921 2. yes. The category attribute value is likely incorrect. In 2922 the case of a source, the System is likely a decoy; with a 2923 target, the System was likely not the intended victim. 2925 3. no. The category attribute value is believed to be correct. 2927 virtual 2928 Optional. ENUM. Indicates whether this System is a virtual or 2929 physical device. The default value is "unknown". 2931 1. yes. The System is a virtual device. 2933 2. no. The System is a physical device. 2935 3. unknown. It is not known if the System is virtual. 2937 ownership 2938 Optional. ENUM. Describes the ownership of this System relative 2939 to the victim in the incident. These values are maintained in the 2940 "System-ownership" IANA registry per Section 10.2. 2942 1. organization. Corporate or enterprise-owned. 2944 2. personal. Personally-owned by an employee or affiliate of the 2945 corporation or enterprise. 2947 3. partner. Owned by a partner of the corporation or enterprise. 2949 4. customer. Owned by a customer of the corporation or 2950 enterprise. 2952 5. no-relationship. Owned by an entity that has no known 2953 relationship with victim organization. 2955 6. unknown. Ownership is unknown. 2957 7. ext-value. A value used to indicate that this attribute is 2958 extended and the actual value is provided using the 2959 corresponding ext-* attribute. See Section 5.1.1. 2961 ext-ownership 2962 Optional. STRING. A means by which to extend the ownership 2963 attribute. See Section 5.1.1. 2965 restriction 2966 Optional. ENUM. See Section 3.3.1. 2968 ext-restriction 2969 Optional. STRING. A means by which to extend the restriction 2970 attribute. See Section 5.1.1. 2972 observable-id 2973 Optional. ID. See Section 3.3.2. 2975 3.18. Node Class 2977 The Node class identifies a system, asset or network; and its 2978 location. 2980 +---------------+ 2981 | Node | 2982 +---------------+ 2983 | |<>--{0..*}--[ DomainData ] 2984 | |<>--{0..*}--[ Address ] 2985 | |<>--{0..1}--[ PostalAddress ] 2986 | |<>--{0..*}--[ Location ] 2987 | |<>--{0..*}--[ Counter ] 2988 +---------------+ 2990 Figure 34: The Node Class 2992 The aggregate classes of the Node class are: 2994 DomainData 2995 Zero or more. The domain (DNS) information associated with this 2996 Node. If an Address is not provided, at least one DomainData MUST 2997 be specified. See Section 3.19. 2999 Address 3000 Zero or more. The hardware, network, or application address of 3001 the Node. If a DomainData is not provided, at least one Address 3002 MUST be specified. See Section 3.18.1. 3004 PostalAddress 3005 Zero or one. POSTAL. The postal address of the node. 3007 Location 3008 Zero or more. ML_STRING. A free-form text description of the 3009 physical location of the Node. This description may provide a 3010 more detailed description of where in the PostalAddress this Node 3011 is found (e.g., room number, rack number, slot number in a 3012 chassis). 3014 Counter 3015 Zero or more. A counter with which to summarizes properties of 3016 this host or network. See Section 3.18.3. 3018 The Node class has no attributes. 3020 3.18.1. Address Class 3022 The Address class represents a hardware (layer-2), network (layer-3), 3023 or application (layer-7) address. 3025 +-------------------------+ 3026 | Address | 3027 +-------------------------+ 3028 | STRING | 3029 | | 3030 | ENUM category | 3031 | STRING ext-category | 3032 | STRING vlan-name | 3033 | INTEGER vlan-num | 3034 | ID observable-id | 3035 +-------------------------+ 3037 Figure 35: The Address Class 3039 The content of the class is an address of type STRING whose semantics 3040 are determined by the category attribute. 3042 The attributes of the Address class are: 3044 category 3045 Required. ENUM. The type of address represented. The default 3046 value is "ipv6-addr". These values are maintained in the 3047 "Address-category" IANA registry per Section 10.2. 3049 1. asn. Autonomous System Number. 3051 2. atm. Asynchronous Transfer Mode (ATM) address. 3053 3. e-mail. Email address, per the EMAIL data type. 3055 4. ipv4-addr. IPv4 host address in dotted-decimal notation 3056 (a.b.c.d). 3058 5. ipv4-net. IPv4 network address in dotted-decimal notation, 3059 slash, significant bits (i.e., a.b.c.d/nn). 3061 6. ipv4-net-masked. A sanitized IPv4 address with significant 3062 bits per "ipv4-net" but with the character 'x' replacing any 3063 digit(s) in the address or prefix. 3065 7. ipv4-net-mask. IPv4 network address in dotted-decimal 3066 notation, slash, network mask in dotted-decimal notation 3067 (i.e., a.b.c.d/w.x.y.z). 3069 8. ipv6-addr. IPv6 host address per Section 4 of [RFC5952]. 3071 9. ipv6-net. IPv6 network address, slash, prefix per 3072 Section 2.3 of [RFC4291]. 3074 10. ipv6-net-masked. A sanitized IPv6 address and prefix per 3075 "ipv6-net" but with the character 'x' replacing any 3076 hexadecimal digit(s) in the address or digit(s) in the 3077 prefix. 3079 11. mac. Media Access Control (MAC) address (i.e., 3080 aa:bb:cc:dd:ee:ff). 3082 12. site-uri. A URL or URI for a resource, per the URL data 3083 type. 3085 13. ext-value. A value used to indicate that this attribute is 3086 extended and the actual value is provided using the 3087 corresponding ext-* attribute. See Section 5.1.1. 3089 ext-category 3090 Optional. STRING. A means by which to extend the category 3091 attribute. See Section 5.1.1. 3093 vlan-name 3094 Optional. STRING. The name of the Virtual LAN to which the 3095 address belongs. 3097 vlan-num 3098 Optional. INTEGER. The number of the Virtual LAN to which the 3099 address belongs. 3101 observable-id 3102 Optional. ID. See Section 3.3.2. 3104 3.18.2. NodeRole Class 3106 The NodeRole class describes the function performed by or role of a 3107 particular system, asset or network. 3109 +-----------------------+ 3110 | NodeRole | 3111 +-----------------------+ 3112 | ENUM category |<>--{0..*}--[ Description ] 3113 | STRING ext-category | 3114 +-----------------------+ 3116 Figure 36: The NodeRole Class 3118 The aggregate class of the NodeRole class is: 3120 Description 3121 Zero or more. ML_STRING. A free-form text description of the 3122 role of the system. 3124 The attributes of the NodeRole class are: 3126 category 3127 Required. ENUM. Function or role of a node. These values are 3128 maintained in the "NodeRole-category" IANA registry per 3129 Section 10.2. 3131 1. client. Client computer. 3133 2. client-enterprise. Client computer on the enterprise 3134 network. 3136 3. client-partner. Client computer on network of a partner. 3138 4. client-remote. Client computer remotely connected to the 3139 enterprise network. 3141 5. client-kiosk. Client computer serving as a kiosk. 3143 6. client-mobile. Mobile device. 3145 7. server-internal. Server with internal services. 3147 8. server-public. Server with public services. 3149 9. www. WWW server. 3151 10. mail. Mail server. 3153 11. webmail. Web mail server. 3155 12. messaging. Messaging server (e.g., NNTP, IRC, IM). 3157 13. streaming. Streaming-media server. 3159 14. voice. Voice server (e.g., SIP, H.323). 3161 15. file. File server. 3163 16. ftp. FTP server. 3165 17. p2p. Peer-to-peer node. 3167 18. name. Name server (e.g., DNS, WINS). 3169 19. directory. Directory server (e.g., LDAP, finger, whois). 3171 20. credential. Credential server (e.g., domain controller, 3172 Kerberos). 3174 21. print. Print server. 3176 22. application. Application server. 3178 23. database. Database server. 3180 24. backup. Backup server. 3182 25. dhcp. DHCP server. 3184 26. assessment. Assessment server (e.g., vulnerability scanner, 3185 end-point assessment). 3187 27. source-control. Source code control server. 3189 28. config-management. Configuration management server. 3191 29. monitoring. Security monitoring server (e.g., IDS). 3193 30. infra. Infrastructure server (e.g., router, firewall, DHCP). 3195 31. infra-firewall. Firewall. 3197 32. infra-router. Router. 3199 33. infra-switch. Switch. 3201 34. camera. Camera and video system. 3203 35. proxy. Proxy server. 3205 36. remote-access. Remote access server. 3207 37. log. Log server (e.g., syslog). 3209 38. virtualization. Server running virtual machines. 3211 39. pos. Point-of-sale device. 3213 40. scada. Supervisory control and data acquisition (SCADA) 3214 system. 3216 41. scada-supervisory. Supervisory system for a SCADA. 3218 42. sinkhole. Traffic sinkhole destination. 3220 43. honeypot. Honeypot server. 3222 44. anonymization. Anonymization server (e.g., Tor node). 3224 45. c2-server. Malicious command and control server. 3226 46. malware-distribution. Server that distributes malware 3228 47. drop-server. Server to which exfiltrated content is 3229 uploaded. 3231 48. hop-point. Intermediary server used to get to a victim. 3233 49. reflector. A system used in a reflector attack. 3235 50. phishing-site. Site hosting phishing content. 3237 51. spear-phishing-site. Site hosting spear-phishing content. 3239 52. recruiting-site. Site to recruit. 3241 53. fraudulent-site. Fraudulent site. 3243 54. ext-value. A value used to indicate that this attribute is 3244 extended and the actual value is provided using the 3245 corresponding ext-* attribute. See Section 5.1.1. 3247 ext-category 3248 Optional. STRING. A means by which to extend the category 3249 attribute. See Section 5.1.1. 3251 3.18.3. Counter Class 3253 The Counter class summarizes multiple occurrences of an event or 3254 conveys counts or rates of various features. 3256 The complete semantics of this class are context dependent based on 3257 the class in which it is aggregated. 3259 +---------------------+ 3260 | Counter | 3261 +---------------------+ 3262 | REAL | 3263 | | 3264 | ENUM type | 3265 | STRING ext-type | 3266 | ENUM unit | 3267 | STRING ext-unit | 3268 | STRING meaning | 3269 | ENUM duration | 3270 | STRING ext-duration | 3271 +---------------------+ 3273 Figure 37: The Counter Class 3275 The content of the class is a value of type REAL whose meaning and 3276 units are determined by the type and duration attributes, 3277 respectively. If the duration attribute is present, the element 3278 content is a rather. Otherwise, it is a simple counter. 3280 The attributes of the Counter class are: 3282 type 3283 Required. ENUM. Specifies the type of counter specified in the 3284 element content. These values are maintained in the "Counter- 3285 type" IANA registry per Section 10.2. 3287 1. count. The Counter class value is a counter. 3289 2. peak. The Counter class value is a peak value. 3291 3. average. The Counter class value is an average. 3293 4. ext-value. A value used to indicate that this attribute is 3294 extended and the actual value is provided using the 3295 corresponding ext-* attribute. See Section 5.1.1. 3297 ext-type 3298 Optional. STRING. A means by which to extend the type attribute. 3299 See Section 5.1.1. 3301 unit 3302 Required. ENUM. Specifies the units of the element content. 3303 These values are maintained in the "Counter-unit" IANA registry 3304 per Section 10.2. 3306 1. byte. Bytes transferred. 3308 2. mbit. Megabits (Mbits) transfered. 3310 3. packet. Packets. 3312 4. flow. Network flow records. 3314 5. session. Sessions. 3316 6. alert. Notifications generated by another system (e.g., IDS 3317 or SIM). 3319 7. message. Messages (e.g., mail messages). 3321 8. event. Events. 3323 9. host. Hosts. 3325 10. site. Site. 3327 11. organization. Organizations. 3329 12. ext-value. A value used to indicate that this attribute is 3330 extended and the actual value is provided using the 3331 corresponding ext-* attribute. See Section 5.1.1. 3333 ext-unit 3334 Optional. STRING. A means by which to extend the unit attribute. 3335 See Section 5.1.1. 3337 meaning 3338 Optional. STRING. A free-form text description of the metric 3339 represented by the Counter. 3341 duration 3342 Optional. ENUM. If present, the Counter class represents a rate. 3343 This attribute specifies unit of time over which the rate whose 3344 units are specified in the unit attribute is being conveyed. This 3345 attribute is the the denominator of the rate (where the unit 3346 attribute specified the nominator). The possible values of this 3347 attribute are defined in the duration attribute of Section 3.12.3 3349 ext-duration 3350 Optional. STRING. A means by which to extend the duration 3351 attribute. See Section 5.1.1. 3353 3.19. DomainData Class 3355 The DomainData class describes a domain name and meta-data associated 3356 with this domain. 3358 +--------------------------+ 3359 | DomainData | 3360 +--------------------------+ 3361 | ENUM system-status |<>----------[ Name ] 3362 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] 3363 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 3364 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] 3365 | ID observable-id |<>--{0..*}--[ RelatedDNS ] 3366 | |<>--{0..*}--[ Nameservers ] 3367 | |<>--{0..1}--[ DomainContacts ] 3368 +--------------------------+ 3370 Figure 38: The DomainData Class 3372 The aggregate classes of the DomainData class are: 3374 Name 3375 One. STRING. The domain name of a system. 3377 DateDomainWasChecked 3378 Zero or one. DATETIME. A timestamp of when the domain listed in 3379 the Name class was resolved. 3381 RegistrationDate 3382 Zero or one. DATETIME. A timestamp of when domain listed in Name 3383 class was registered. 3385 ExpirationDate 3386 Zero or one. DATETIME. A timestamp of when the domain listed in 3387 Name class is set to expire. 3389 RelatedDNS 3390 Zero or more. EXTENSION. Additional DNS records associated with 3391 this domain. 3393 Nameservers 3394 Zero or more. The name servers identified for the domain listed 3395 in Name class. See Section 3.19.1. 3397 DomainContacts 3398 Zero or one. Contact information for the domain listed in Name 3399 class supplied by the registrar or through a whois query. 3401 The attributes of the DomainData class are: 3403 system-status 3404 Required. ENUM. Assesses the domain's involvement in the event. 3405 These values are maintained in the "DomainData-system-status" IANA 3406 registry per Section 10.2. 3408 1. spoofed. This domain was spoofed. 3410 2. fraudulent. This domain was operated with fraudulent 3411 intentions. 3413 3. innocent-hacked. This domain was compromised by a third 3414 party. 3416 4. innocent-hijacked. This domain was deliberately hijacked. 3418 5. unknown. No categorization for this domain known. 3420 6. ext-value. A value used to indicate that this attribute is 3421 extended and the actual value is provided using the 3422 corresponding ext-* attribute. See Section 5.1.1. 3424 ext-system-status 3425 Optional. STRING. A means by which to extend the system-status 3426 attribute. See Section 5.1.1. 3428 domain-status 3429 Required. ENUM. Categorizes the registry status of the domain at 3430 the time the document was generated. These values and their 3431 associated descriptions are derived from Section 3.2.2 of 3432 [RFC3982]. These values are maintained in the "DomainData-domain- 3433 status" IANA registry per Section 10.2. 3435 1. reservedDelegation. The domain is permanently inactive. 3437 2. assignedAndActive. The domain is in a normal state. 3439 3. assignedAndInactive. The domain has an assigned registration 3440 but the delegation is inactive. 3442 4. assignedAndOnHold. The domain is in dispute. 3444 5. revoked. The domain is in the process of being purged from 3445 the database. 3447 6. transferPending. The domain is pending a change in 3448 authority. 3450 7. registryLock. The domain is on hold by the registry. 3452 8. registrarLock. Same as "registryLock". 3454 9. other. The domain has a known status but it is not one of 3455 the redefined enumerated values. 3457 10. unknown. The domain has an unknown status. 3459 11. ext-value. A value used to indicate that this attribute is 3460 extended and the actual value is provided using the 3461 corresponding ext-* attribute. See Section 5.1.1. 3463 ext-domain-status 3464 Optional. STRING. A means by which to extend the domain-status 3465 attribute. See Section 5.1.1. 3467 observable-id 3468 Optional. ID. See Section 3.3.2. 3470 3.19.1. Nameservers Class 3472 The Nameservers class describes the name servers associated with a 3473 given domain. 3475 +--------------------+ 3476 | Nameservers | 3477 +--------------------+ 3478 | |<>----------[ Server ] 3479 | |<>--{1..*}--[ Address ] 3480 +--------------------+ 3482 Figure 39: The Nameservers Class 3484 The aggregate classes of the Nameservers class are: 3486 Server 3487 One. STRING. The domain name of the name server. 3489 Address 3490 One or more. The address of the name server. The value of the 3491 category attribute MUST be either "ipv4-addr" or "ipv6-addr". See 3492 Section 3.18.1. 3494 The Nameservers class has no attributes. 3496 3.19.2. DomainContacts Class 3498 The DomainContacts class describes the contact information for a 3499 given domain provided either by the registrar or through a whois 3500 query. 3502 This contact information can be explicitly described through a 3503 Contact class or a reference can be provided to a domain with 3504 identical contact information. Either a single SameDomainContact 3505 MUST be present or one or more Contact classes. 3507 +--------------------+ 3508 | DomainContacts | 3509 +--------------------+ 3510 | |<>--{0..1}--[ SameDomainContact ] 3511 | |<>--{1..*}--[ Contact ] 3512 +--------------------+ 3514 Figure 40: The DomainContacts Class 3516 The aggregate classes of the DomainContacts class are: 3518 SameDomainContact 3519 Zero or one. STRING. A domain name already cited in this 3520 document or through previous exchange that contains the identical 3521 contact information as the domain name in question. The domain 3522 contact information associated with this domain should be used 3523 instead of an explicit definition with the Contact class. 3525 Contact 3526 One or more. Contact information for the domain. See 3527 Section 3.9. 3529 The DomainContacts class has no attributes. 3531 3.20. Service Class 3533 The Service class describes a network service. The service is 3534 described by protocol, port, protocol header field and application 3535 providing or using the service. 3537 +-------------------------+ 3538 | Service | 3539 +-------------------------+ 3540 | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] 3541 | ID observable-id |<>--{0..1}--[ Port ] 3542 | |<>--{0..1}--[ Portlist ] 3543 | |<>--{0..1}--[ ProtoCode ] 3544 | |<>--{0..1}--[ ProtoType ] 3545 | |<>--{0..1}--[ ProtoField ] 3546 | |<>--{0..1}--[ ApplicationHeader ] 3547 | |<>--{0..1}--[ EmailData ] 3548 | |<>--{0..1}--[ Application ] 3549 +-------------------------+ 3551 Figure 41: The Service Class 3553 The aggregate classes of the Service class are: 3555 ServiceName 3556 Zero or one. A protocol name. 3558 Port 3559 Zero or one. INTEGER. A port number. 3561 Portlist 3562 Zero or one. PORTLIST. A list of port numbers. 3564 ProtoCode 3565 Zero or one. INTEGER. A transport layer (layer 4) protocol- 3566 specific code field (e.g., ICMP code field). 3568 ProtoType 3569 Zero or one. INTEGER. A transport layer (layer 4) protocol 3570 specific type field (e.g., ICMP type field). 3572 ProtoField 3573 Zero or one. INTEGER. A transport layer (layer 4) protocol 3574 specific flag field (e.g., TCP flag field). 3576 ApplicationHeader 3577 Zero or one. A protocol header. See Section 3.20.2. 3579 EmailData 3580 Zero or one. Headers associated with an email message. See 3581 Section 3.21. 3583 Application 3584 Zero or one. SOFTWARE. The application acting as either the 3585 client or server for the service. 3587 At least one of these classes MUST be present. 3589 When a given System classes with category="source" and another with 3590 category="target" are aggregated into a single Flow class, and each 3591 of these System classes has a Service and Portlist class, an implicit 3592 relationship between these Portlists exists. If N ports are listed 3593 for a System@category="source", and M ports are listed for 3594 System@category="target", the number of ports in N must be equal to 3595 M. Likewise, the ports MUST be listed in an identical sequence such 3596 that the n-th port in the source corresponds to the n-th port of the 3597 target. If N is greater than 1, a given instance of a Flow class 3598 MUST only have a single instance of a System@category="source" and 3599 System@category="target". 3601 The attributes of the Service class are: 3603 ip-protocol 3604 Optional. INTEGER. The IANA assigned IP protocol number per 3605 [IANA.Protocols] The attribute MUST be set if a Port, Portlist, 3606 ProtoCode, ProtoType, ProtoField class is present. 3608 observable-id 3609 Optional. ID. See Section 3.3.2. 3611 3.20.1. ServiceName Class 3613 The ServiceName class identifies an application protocol. It can be 3614 described by referencing an IANA registered protocol, a URL or with 3615 free-form text. 3617 +--------------------+ 3618 | ServiceName | 3619 +--------------------+ 3620 | |<>--{0..1}--[ IANAService ] 3621 | |<>--{0..*}--[ URL ] 3622 | |<>--{0..*}--[ Description ] 3623 +--------------------+ 3625 Figure 42: The ServiceName Class 3627 The aggregate classes of the ServiceName class are: 3629 IANAService 3630 Zero or one. STRING. The name of the service per the "Service 3631 Name" field of the [IANA.Ports] registry. 3633 URL 3634 Zero or more. URL. A URL to a resource describing the service. 3636 Description 3637 Zero or more. ML_STRING. A free-form text description of the 3638 service. 3640 At least one of these classes MUST be present. 3642 The ServiceName class has no attributes. 3644 3.20.2. ApplicationHeader Class 3646 The ApplicationHeader class describes arbitrary fields from a 3647 protocol header and its corresponding value. 3649 +--------------------------+ 3650 | ApplicationHeader | 3651 +--------------------------+ 3652 | |<>--{1..*}--[ ApplicationHeaderField ] 3653 +--------------------------+ 3655 Figure 43: The ApplicationHeader Class 3657 The aggregate class of the ApplicationHeader class is: 3659 ApplicationHeaderField 3660 One or more. EXTENSION. A field name and value in a protocol 3661 header. The 'name' attribute MUST be set to the field name. The 3662 field value MUST be set in the element content. 3664 The ApplicationHeader class has no attributes. 3666 3.21. EmailData Class 3668 The EmailData class describes headers from an email message and 3669 cryptographic hash and signatures applied to it. 3671 +-------------------------+ 3672 | EmailData | 3673 +-------------------------+ 3674 | ID observable-id |<>--{0..*}--[ EmailTo ] 3675 | |<>--{0..1}--[ EmailFrom ] 3676 | |<>--{0..1}--[ EmailSubject ] 3677 | |<>--{0..1}--[ EmailX-Mailer ] 3678 | |<>--{0..*}--[ EmailHeaderField ] 3679 | |<>--{0..1}--[ EmailHeaders ] 3680 | |<>--{0..1}--[ EmailBody ] 3681 | |<>--{0..1}--[ EmailMessage ] 3682 | |<>--{0..*}--[ HashData ] 3683 | |<>--{0..*}--[ SignatureData ] 3684 +-------------------------+ 3686 Figure 44: EmailData Class 3688 The aggregate classes of the EmailData class are: 3690 EmailTo 3691 Zero or more. EMAIL. The value of the "To:" header field 3692 (Section 3.6.3 of [RFC5322]) in an email. 3694 EmailFrom 3695 Zero or one. EMAIL. The value of the "From:" header field 3696 (Section 3.6.2 of [RFC5322]) in an email. 3698 EmailSubject 3699 Zero or one. STRING. The value of the "Subject:" header field in 3700 an email. See Section 3.6.4 of [RFC5322]. 3702 EmailX-Mailer 3703 Zero or one. STRING. The value of the "X-Mailer:" header field 3704 in an email. 3706 EmailHeaderField 3707 Zero or more. EXTENSION. The header name and value of an 3708 arbitrary header field of the email message. The 'name' attribute 3709 MUST be set to header name. The header value MUST be set in the 3710 element body. The dtype attribute MUST be set to "string". 3712 EmailHeaders 3713 Zero or one. STRING. The headers of an email message. 3715 EmailBody 3716 Zero or one. STRING. The body of an email message. 3718 EmailMessage 3719 Zero or one. STRING. The headers and body of an email message. 3721 HashData 3722 Zero or more. Hash(es) associated with this email message. See 3723 Section 3.26. 3725 SignatureData 3726 Zero or more. Signature(s) associated with this email message. 3727 See Section 3.27. 3729 The attribute of the EmailData class is: 3731 observable-id 3732 Optional. ID. See Section 3.3.2. 3734 3.22. Record Class 3736 The Record class is a container class for log and audit data that 3737 provides supportive information about the events in an incident. The 3738 source of this data will often be the output of monitoring tools. 3739 These logs substantiate the activity described in the document. 3741 +------------------------+ 3742 | Record | 3743 +------------------------+ 3744 | ENUM restriction |<>--{1..*}--[ RecordData ] 3745 | STRING ext-restriction | 3746 +------------------------+ 3748 Figure 45: Record Class 3750 The aggregate classes of the Record class are: 3752 RecordData 3753 One or more. Log or audit data generated by a particular tool. 3754 Separate instances of the RecordData class SHOULD be used for each 3755 type of log. See Section 3.22.1. 3757 The attributes of the Record class are: 3759 restriction 3760 Optional. ENUM. See Section 3.3.1. 3762 ext-restriction 3763 Optional. STRING. A means by which to extend the restriction 3764 attribute. See Section 5.1.1. 3766 3.22.1. RecordData Class 3768 The RecordData class describes or references log or audit data from a 3769 given type of tool and provides a means to annotate the output. 3771 +------------------------+ 3772 | RecordData | 3773 +------------------------+ 3774 | ENUM restriction |<>--{0..1}--[ DateTime ] 3775 | STRING ext-restriction |<>--{0..*}--[ Description ] 3776 | ID observable-id |<>--{0..1}--[ Application ] 3777 | |<>--{0..*}--[ RecordPattern ] 3778 | |<>--{0..*}--[ RecordItem ] 3779 | |<>--{0..*}--[ URL ] 3780 | |<>--{0..*}--[ FileData ] 3781 | |<>--{0..*}-- 3782 | | [ WindowsRegistryKeysModified ] 3783 | |<>--{0..*}--[ CertificateData ] 3784 | |<>--{0..*}--[ AdditionalData ] 3785 +------------------------+ 3787 Figure 46: The RecordData Class 3789 The aggregate classes of the RecordData class are: 3791 DateTime 3792 Zero or one. DATETIME. A timestamp of the data found in the 3793 RecordItem or URL classes. 3795 Description 3796 Zero or more. ML_STRING. A free-form text description of the 3797 data provided in the RecordItem or URL classes. 3799 Application 3800 Zero or one. SOFTWARE. Identifies the tool used to generate the 3801 data in the RecordItem or URL classes. 3803 RecordPattern 3804 Zero or more. A search string to precisely find the relevant data 3805 in the RecordItem or URL classes. See Section 3.22.2. 3807 RecordItem 3808 Zero or more. EXTENSION. Log, audit, or forensic data to support 3809 the conclusions made during the course of analyzing the incident. 3811 URL 3812 Zero or more. URL. A URL reference to a log or audit data. 3814 FileData 3815 Zero or one. The files involved in the incident. See 3816 Section 3.25. 3818 WindowsRegistryKeysModified 3819 Zero or more. The registry keys that were involved in the 3820 incident. See Section 3.23. 3822 CertificateData 3823 Zero or more. The certificates that were involved in the 3824 incident. See Section 3.24. 3826 AdditionalData 3827 Zero or more. EXTENSION. An extension mechanism for data not 3828 explicitly represented in the data model. 3830 At least one of the following classes MUST be present: RecordItem, 3831 URL, FileData, WindowsRegistryKeysModified, CertificateData or 3832 AdditionalData. 3834 The attributes of the RecordData class are: 3836 restriction 3837 Optional. ENUM. See Section 3.3.1. 3839 ext-restriction 3840 Optional. STRING. A means by which to extend the restriction 3841 attribute. See Section 5.1.1. 3843 observable-id 3844 Optional. ID. See Section 3.3.2. 3846 3.22.2. RecordPattern Class 3848 The RecordPattern class describes where in the log data provided or 3849 referenced in RecordData class relevant information can be found. It 3850 provides a way to reference subsets of information, identified by a 3851 pattern, in a large log file, audit trail, or forensic data. 3853 +-----------------------+ 3854 | RecordPattern | 3855 +-----------------------+ 3856 | STRING | 3857 | | 3858 | ENUM type | 3859 | STRING ext-type | 3860 | INTEGER offset | 3861 | ENUM offsetunit | 3862 | STRING ext-offsetunit | 3863 | INTEGER instance | 3864 +-----------------------+ 3866 Figure 47: The RecordPattern Class 3868 The content of the class is of type STRING and specifies a search 3869 pattern. 3871 The attributes of the RecordPattern class are: 3873 type 3874 Required. ENUM. Describes the type of pattern being specified in 3875 the element content. The default is "regex". These values are 3876 maintained in the "RecordPattern-type" IANA registry per 3877 Section 10.2. 3879 1. regex. regular expression as defined by POSIX Extended 3880 Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX]. 3882 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3883 type. 3885 3. xpath. XML Path (XPath) [W3C.XPATH] 3887 4. ext-value. A value used to indicate that this attribute is 3888 extended and the actual value is provided using the 3889 corresponding ext-* attribute. See Section 5.1.1. 3891 ext-type 3892 Optional. STRING. A means by which to extend the type attribute. 3893 See Section 5.1.1. 3895 offset 3896 Optional. INTEGER. Amount of units (determined by the offsetunit 3897 attribute) to seek into the RecordItem data before matching the 3898 pattern. 3900 offsetunit 3901 Optional. ENUM. Describes the units of the offset attribute. 3902 The default is "line". These values are maintained in the 3903 "RecordPattern-offsetunit" IANA registry per Section 10.2. 3905 1. line. Offset is a count of lines. 3907 2. byte. Offset is a count of bytes. 3909 3. ext-value. A value used to indicate that this attribute is 3910 extended and the actual value is provided using the 3911 corresponding ext-* attribute. See Section 5.1.1. 3913 ext-offsetunit 3914 Optional. STRING. A means by which to extend the offsetunit 3915 attribute. See Section 5.1.1. 3917 instance 3918 Optional. INTEGER. Number of times to apply the specified 3919 pattern. 3921 3.23. WindowsRegistryKeysModified Class 3923 The WindowsRegistryKeysModified class describes Windows operating 3924 system registry keys and the operations that were performed on them. 3925 This class was derived from [RFC5901]. 3927 +-----------------------------+ 3928 | WindowsRegistryKeysModified | 3929 +-----------------------------+ 3930 | ID observable-id |<>--{1..*}--[ Key ] 3931 +-----------------------------+ 3933 Figure 48: The WindowsRegistryKeysModified Class 3935 The aggregate classes of the WindowsRegistryKeysModified class are: 3937 Key 3938 One or more. The Window registry key. See Section 3.23.1. 3940 The attribute of the WindowsRegistryKeysModified class is: 3942 observable-id 3943 Optional. ID. See Section 3.3.2. 3945 3.23.1. Key Class 3947 The Key class describes a Windows operating system registry key name 3948 and value pair, and the operation performed on it. 3950 +---------------------------+ 3951 | Key | 3952 +---------------------------+ 3953 | ENUM registryaction |<>----------[ KeyName ] 3954 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] 3955 | ID observable-id | 3956 +---------------------------+ 3958 Figure 49: The Key Class 3960 The aggregate classes of the Key class are: 3962 KeyName 3963 One. STRING. The name of a Windows operating system registry key 3964 (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3966 KeyValue 3967 Zero or one. STRING. The value of the registry key identified in 3968 the KeyName class encoded per the .reg file format [KB310516]. 3970 The attributes of the Key class are: 3972 registryaction 3973 Optional. ENUM. The type of action taken on the registry key. 3974 These values are maintained in the "Key-registryaction" IANA 3975 registry per Section 10.2. 3977 1. add-key. Registry key added. 3979 2. add-value. Value added to a registry key. 3981 3. delete-key. Registry key deleted. 3983 4. delete-value. Value deleted from a registry key. 3985 5. modify-key. Registry key modified. 3987 6. modify-value. Value modified in a registry key. 3989 7. ext-value. A value used to indicate that this attribute is 3990 extended and the actual value is provided using the 3991 corresponding ext-* attribute. See Section 5.1.1. 3993 ext-registryaction 3994 Optional. STRING. A means by which to extend the registryaction 3995 attribute. See Section 5.1.1. 3997 observable-id 3998 Optional. ID. See Section 3.3.2. 4000 3.24. CertificateData Class 4002 The CertificateData class describes X.509 certificates. 4004 +------------------------+ 4005 | CertificateData | 4006 +------------------------+ 4007 | ENUM restriction |<>--{1..*}--[ Certificate ] 4008 | STRING ext-restriction | 4009 | ID observable-id | 4010 +------------------------+ 4012 Figure 50: The CertificateData Class 4014 The aggregate classes of the CertificateData class are: 4016 Certificate 4017 One or more. A description of an X.509 certificate or certificate 4018 chain. See Section 3.24.1. 4020 The attributes of the CertificateData class are: 4022 restriction 4023 Optional. ENUM. See Section 3.3.1. 4025 ext-restriction 4026 Optional. STRING. A means by which to extend the restriction 4027 attribute. See Section 5.1.1. 4029 observable-id 4030 Optional. ID. See Section 3.3.2. 4032 3.24.1. Certificate Class 4034 The Certificate class describes a given X.509 certificate or 4035 certificate chain. 4037 +--------------------------+ 4038 | Certificate | 4039 +--------------------------+ 4040 | ID observable-id |<>----------[ ds:X509Data ] 4041 | |<>--{0..*}--[ Description ] 4042 +--------------------------+ 4044 Figure 51: The Certificate Class 4046 The aggregate classes of the Certificate class are: 4048 ds:X509Data 4049 One. A given X.509 certificate or chain. See Section 4.4.4 of 4050 [W3C.XMLSIG]. 4052 Description 4053 Zero or more. ML_STRING. A free-form text description explaining 4054 the context of this certificate. 4056 The attributes of the Certificate class are: 4058 observable-id 4059 Optional. ID. See Section 3.3.2. 4061 3.25. FileData Class 4063 The FileData class describes a file or set of files. 4065 +------------------------+ 4066 | FileData | 4067 +------------------------+ 4068 | ENUM restriction |<>--{1..*}--[ File ] 4069 | STRING ext-restriction | 4070 | ID observable-id | 4071 +------------------------+ 4073 Figure 52: The FileData Class 4075 The aggregate classes of the FileData class are: 4077 File 4078 One or more. A description of a file. See Section 3.25.1. 4080 The attributes of the FileData class are: 4082 restriction 4083 Optional. ENUM. See Section 3.3.1. 4085 ext-restriction 4086 Optional. STRING. A means by which to extend the restriction 4087 attribute. See Section 5.1.1. 4089 observable-id 4090 Optional. ID. See Section 3.3.2. 4092 3.25.1. File Class 4094 The File class describes a file; its associated meta data; and 4095 cryptographic hashes and signatures applied to it. 4097 +-----------------------+ 4098 | File | 4099 +-----------------------+ 4100 | ID observable-id |<>--{0..1}--[ FileName ] 4101 | |<>--{0..1}--[ FileSize ] 4102 | |<>--{0..1}--[ FileType ] 4103 | |<>--{0..*}--[ URL ] 4104 | |<>--{0..1}--[ HashData ] 4105 | |<>--{0..1}--[ SignatureData ] 4106 | |<>--{0..1}--[ AssociatedSoftware ] 4107 | |<>--{0..*}--[ FileProperties ] 4108 +-----------------------+ 4110 Figure 53: The File Class 4112 The aggregate classes of the File class are: 4114 FileName 4115 Zero or One. STRING. The name of the file. 4117 FileSize 4118 Zero or One. INTEGER. The size of the file in bytes. 4120 FileType 4121 Zero or One. STRING. The type of file per the IANA Media Types 4122 Registry [IANA.Media]. Valid values correspond to the text in the 4123 "Template" column (e.g., "application/pdf"). 4125 URL 4126 Zero or more. URL. A URL reference to the file. 4128 HashData 4129 Zero or One. Hash(es) associated with this file. See 4130 Section 3.26. 4132 SignatureData 4133 Zero or One. Signature(s) associated with this file. See 4134 Section 3.27. 4136 AssociatedSoftware 4137 Zero or One. SOFTWARE. The software application or operating 4138 system to which this file belongs or by which it can be processed. 4140 FileProperties 4141 Zero or more. EXTENSION. Mechanism by which to extend the data 4142 model to describe properties of the file. 4144 The attributes of the File class are: 4146 observable-id 4147 Optional. ID. See Section 3.3.2. 4149 3.26. HashData Class 4151 The HashData class describes different types of hashes on an given 4152 object (e.g., file, part of a file, email). 4154 +--------------------------+ 4155 | HashData | 4156 +--------------------------+ 4157 | ENUM scope |<>--{0..1}--[ HashTargetID ] 4158 | |<>--{0..*}--[ Hash ] 4159 | |<>--{0..*}--[ FuzzyHash ] 4160 +--------------------------+ 4162 Figure 54: The HashData Class 4164 The aggregate classes of the HashData class are: 4166 HashTargetID 4167 Zero or One. STRING. An identifier that references a subset of 4168 the object being hashed. The semantics of this identifier are 4169 specified by the scope attribute. 4171 Hash 4172 Zero or more. The hash of an object. See Section 3.26.1. 4174 FuzzyHash 4175 Zero or more. The fuzzy hash of an object. See Section 3.26.2. 4177 At least one instance of either Hash or FuzzyHash MUST be present. 4179 The attribute of the HashData class is: 4181 scope 4182 Required. ENUM. Describes on which part of the object the hash 4183 should be applied. These values are maintained in the "HashData- 4184 scope" IANA registry per Section 10.2. 4186 1. file-contents. A hash computed over the entire contents of a 4187 file. 4189 2. file-pe-section. A hash computed on a given section of a 4190 Windows Portable Executable (PE) file. If set to this value, 4191 the HashTargetID class MUST identify the section being hashed. 4192 A section is identified by an ordinal number (starting at 1) 4193 corresponding to the the order in which the given section 4194 header was defined in the Section Table of the PE file header. 4196 3. file-pe-iat. A hash computed on the Import Address 4197 Table (IAT) of a PE file. As IAT hashes are often tool 4198 dependent, if this value is set, the Application class of 4199 either the Hash or FuzzyHash classes MUST specify the tool 4200 used to generate the hash. 4202 4. file-pe-resource. A hash computed on a given resource in a PE 4203 file. If set to this value, the HashTargetID class MUST 4204 identify the resource being hashed. A resource is identified 4205 by an ordinal number (starting at 1) corresponding to the 4206 order in which the given resource is declared in the Resource 4207 Directory of the Data Dictionary in the PE file header. 4209 5. file-pdf-object. A hash computed on a given object in a 4210 Portable Document Format (PDF) file. If set to this value, 4211 the HashTargetID class MUST identify the object being hashed. 4212 This object is identified by its offset in the PDF file. 4214 6. email-hash. A hash computed over the headers and body of an 4215 email message. 4217 7. email-headers-hash. A hash computed over all of the headers 4218 of an email message. 4220 8. email-body-hash. A hash computed over the body of an email 4221 message. 4223 9. ext-value. A value used to indicate that this attribute is 4224 extended and the actual value is provided using the 4225 corresponding ext-* attribute. See Section 5.1.1. 4227 ext-scope 4228 Optional. STRING. A means by which to extend the scope 4229 attribute. See Section 5.1.1. 4231 3.26.1. Hash Class 4233 The Hash class describes a cryptographic hash value; the algorithm 4234 and application used to generate it; and the canonicalization method 4235 applied to the object being hashed. 4237 +----------------+ 4238 | Hash | 4239 +----------------+ 4240 | |<>----------[ ds:DigestMethod ] 4241 | |<>----------[ ds:DigestValue ] 4242 | |<>--{0..1}--[ ds:CanonicalizationMethod ] 4243 | |<>--{0..1}--[ Application ] 4244 +----------------+ 4246 Figure 55: The Hash Class 4248 The aggregate classes of the Hash class are: 4250 ds:DigestMethod 4251 One. The hash algorithm used to generate the hash. See 4252 Section 4.3.3.5 of [W3C.XMLSIG] 4254 ds:DigestValue 4255 One. The computed hash value. See Section 4.3.3.6 of 4256 [W3C.XMLSIG]. 4258 ds:CanonicalizationMethod 4259 Zero or one. The canonicalization method used on the object being 4260 hashed. See Section 4.3.1 of [W3C.XMLSIG]. 4262 Application 4263 Zero or One. SOFTWARE. The application used to calculate the 4264 hash. 4266 The HashData class has no attributes. 4268 3.26.2. FuzzyHash Class 4270 The FuzzyHash class describes a fuzzy hash and the application used 4271 to generate it. 4273 +--------------------------+ 4274 | FuzzyHash | 4275 +--------------------------+ 4276 | |<>--{1..*}--[ FuzzyHashValue ] 4277 | |<>--{0..1}--[ Application ] 4278 | |<>--{0..*}--[ AdditionalData ] 4279 +--------------------------+ 4281 Figure 56: The FuzzyHash Class 4283 The aggregate classes of the FuzzyHash class are: 4285 FuzzyHashValue 4286 One or more. EXTENSION. The computed fuzzy hash value. 4288 Application 4289 Zero or one. SOFTWARE. The application used to calculate the 4290 hash. 4292 AdditionalData 4293 Zero or more. EXTENSION. Mechanism by which to extend the data 4294 model. 4296 The FuzzyData class has no attributes. 4298 3.27. SignatureData Class 4300 The SignatureData class describes different types of digital 4301 signatures on an object. 4303 +--------------------------+ 4304 | SignatureData | 4305 +--------------------------+ 4306 | |<>--{1..*}--[ ds:Signature ] 4307 +--------------------------+ 4309 Figure 57: The SignatureData Class 4311 The aggregate class of the SignatureData class is: 4313 Signature 4314 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] 4316 The SignatureData class has no attributes. 4318 3.28. IndicatorData Class 4320 The IndicatorData class describes indicators and meta-data associated 4321 with them. 4323 +--------------------------+ 4324 | IndicatorData | 4325 +--------------------------+ 4326 | |<>--{1..*}--[ Indicator ] 4327 +--------------------------+ 4329 Figure 58: The IndicatorData Class 4331 The aggregate class of the IndicatorData class is: 4333 Indicator 4334 One or more. A description of an indicator. See Section 3.29. 4336 The IndicatorData class has no attributes. 4338 3.29. Indicator Class 4340 The Indicator class describes an indicator. An indicator consists of 4341 observable features and phenomenon that aid in the forensic or 4342 proactive detection of malicious activity; and associated meta-data. 4343 An indicator can be described outright; by referencing or composing 4344 previously defined indicators; or by referencing observables 4345 described in the incident report found in this document. 4347 +------------------------+ 4348 | Indicator | 4349 +------------------------+ 4350 | ENUM restriction |<>----------[ IndicatorID ] 4351 | STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ] 4352 | |<>--{0..*}--[ Description ] 4353 | |<>--{0..1}--[ StartTime ] 4354 | |<>--{0..1}--[ EndTime ] 4355 | |<>--{0..1}--[ Confidence ] 4356 | |<>--{0..*}--[ Contact ] 4357 | |<>--{0..1}--[ Observable ] 4358 | |<>--{0..1}--[ ObservableReference ] 4359 | |<>--{0..1}--[ IndicatorExpression ] 4360 | |<>--{0..1}--[ IndicatorReference ] 4361 | |<>--{0..*}--[ NodeRole ] 4362 | |<>--{0..*}--[ AttackPhase ] 4363 | |<>--{0..*}--[ Reference ] 4364 | |<>--{0..*}--[ AdditionalData ] 4365 +------------------------+ 4367 Figure 59: The Indicator Class 4369 The aggregate classes of the Indicator class are: 4371 IndicatorID 4372 One. An identifier for this indicator. See Section 3.29.1 4374 AlternativeIndicatorID 4375 Zero or more. An alternative identifier for this indicator. See 4376 Section 3.29.2 4378 Description 4379 Zero or more. ML_STRING. A free-form text description of the 4380 indicator. 4382 StartTime 4383 Zero or one. DATETIME. A timestamp of the start of the time 4384 period during which this indicator is valid. 4386 EndTime 4387 Zero or one. DATETIME. A timestamp of the end of the time period 4388 during which this indicator is valid. 4390 Confidence 4391 Zero or one. An estimate of the confidence in the quality of the 4392 indicator. See Section 3.12.5. 4394 Contact 4395 Zero or more. Contact information for this indicator. See 4396 Section 3.9. 4398 Observable 4399 Zero or one. An observable feature or phenomenon of this 4400 indicator. See Section 3.29.3. 4402 ObservableReference 4403 Zero or one. A reference to an observable feature or phenomenon 4404 defined elsewhere in the document. See Section 3.29.6. 4406 IndicatorExpression 4407 Zero or one. A composition of observables. See Section 3.29.4. 4409 IndicatorReference 4410 Zero or one. A reference to an indicator. See Section 3.29.7. 4412 NodeRole 4413 Zero or more. The role of the system in the attack should this 4414 indicator be matched to it. See Section 3.18.2. 4416 AttackPhase 4417 Zero or more. The phase in an attack lifecycle during which this 4418 indicator might be seen. See Section 3.29.8. 4420 Reference 4421 Zero or more. A reference to additional information relevant to 4422 this indicator. See Section 3.11.1. 4424 AdditionalData 4425 Zero or more. EXTENSION. Mechanism by which to extend the data 4426 model. 4428 The Indicator class MUST have exactly one instance of an Observable, 4429 IndicatorExpression, ObservableReference, or IndicatorReference 4430 class. 4432 The StartTime and EndTime classes can be used to define an interval 4433 during which the indicator is valid. If both classes are present, 4434 the indicator is consider valid only during the described interval. 4435 If neither class is provided, the indicator is considered valid 4436 during any time interval. If only a StartTime is provided, the 4437 indicator is valid anytime after this timestamp. If only an EndTime 4438 is provided, the indicator is valid anytime prior to this timestamp. 4440 The attributes of the Indicator class are: 4442 restriction 4443 Optional. ENUM. See Section 3.3.1. 4445 ext-restriction 4446 Optional. STRING. A means by which to extend the restriction 4447 attribute. See Section 5.1.1. 4449 3.29.1. IndicatorID Class 4451 The IndicatorID class identifies an indicator with a globally unique 4452 identifier. The combination of the name and version attributes, and 4453 the element content form this identifier. Indicators generated by 4454 given CSIRT MUST NOT reuse the same value unless they are referencing 4455 the same indicator. 4457 +------------------+ 4458 | IndicatorID | 4459 +------------------+ 4460 | ID | 4461 | | 4462 | STRING name | 4463 | STRING version | 4464 +------------------+ 4466 Figure 60: The IndicatorID Class 4468 The content of the class is of type ID and specifies an identifier 4469 for an indicator. 4471 The attributes of the IndicatorID class are: 4473 name 4474 Required. STRING. An identifier describing the CSIRT that 4475 created the indicator. In order to have a globally unique CSIRT 4476 name, the fully qualified domain name associated with the CSIRT 4477 MUST be used. This format is identical to the IncidentID@name 4478 attribute in Section 3.4. 4480 version 4481 Required. STRING. A version number of an indicator. 4483 3.29.2. AlternativeIndicatorID Class 4485 The AlternativeIndicatorID class lists alternative identifiers for an 4486 indicator. 4488 +-------------------------+ 4489 | AlternativeIndicatorID | 4490 +-------------------------+ 4491 | ENUM restriction |<>--{1..*}--[ IndicatorReference ] 4492 | STRING ext-restriction | 4493 +-------------------------+ 4495 Figure 61: The AlternativeIndicatorID Class 4497 The aggregate class of the AlternativeIndicatorID class is: 4499 IndicatorReference 4500 One or more. A reference to an indicator. See Section 3.29.7 4502 The attributes of the AlternativeIndicatorID class are: 4504 restriction 4505 Optional. ENUM. See Section 3.3.1. 4507 ext-restriction 4508 Optional. STRING. A means by which to extend the restriction 4509 attribute. See Section 5.1.1. 4511 3.29.3. Observable Class 4513 The Observable class describes a feature and phenomenon that can be 4514 observed or measured for the purposes of detecting malicious 4515 behavior. 4517 +------------------------+ 4518 | Observable | 4519 +------------------------+ 4520 | ENUM restriction |<>--{0..1}--[ System ] 4521 | STRING ext-restriction |<>--{0..1}--[ Address ] 4522 | |<>--{0..1}--[ DomainData ] 4523 | |<>--{0..1}--[ Service ] 4524 | |<>--{0..1}--[ EmailData ] 4525 | |<>--{0..1}--[ WindowsRegistryKeysModified ] 4526 | |<>--{0..1}--[ FileData ] 4527 | |<>--{0..1}--[ CertificateData ] 4528 | |<>--{0..1]--[ RegistryHandle ] 4529 | |<>--{0..1}--[ RecordData ] 4530 | |<>--{0..1}--[ EventData ] 4531 | |<>--{0..1}--[ Incident ] 4532 | |<>--{0..1}--[ Expectation ] 4533 | |<>--{0..1}--[ Reference ] 4534 | |<>--{0..1}--[ Assessment ] 4535 | |<>--{0..1}--[ DetectionPattern ] 4536 | |<>--{0..1}--[ HistoryItem ] 4537 | |<>--{0..1}--[ BulkObservable ] 4538 | |<>--{0..*}--[ AdditionalData ] 4539 +------------------------+ 4541 Figure 62: The Observable Class 4543 The aggregate classes of the Observable class are: 4545 System 4546 Zero or one. An System observable. See Section 3.17. 4548 Address 4549 Zero or one. An Address observable. See Section 3.18.1. 4551 DomainData 4552 Zero or one. A DomainData observable. See Section 3.19. 4554 Service 4555 Zero or one. A Service observable. See Section 3.20. 4557 EmailData 4558 Zero or one. A EmailData observable. See Section 3.21. 4560 WindowsRegistryKeysModified 4561 Zero or one. A WindowsRegistryKeysModified observable. See 4562 Section 3.23. 4564 FileData 4565 Zero or one. A FileData observable. See Section 3.25. 4567 CertificateData 4568 Zero or one. A CertificateData observable. See Section 3.24. 4570 RegistryHandle 4571 Zero or one. A RegistryHandle observable. See Section 3.9.1. 4573 RecordData 4574 Zero or one. A RecordData observable. See Section 3.22.1. 4576 EventData 4577 Zero or one. An EventData observable. See Section 3.14. 4579 Incident 4580 Zero or one. An Incident observable. See Section 3.2. 4582 Expectation 4583 Zero or one. An Expectation observable. See Section 3.15. 4585 Reference 4586 Zero or one. A Reference observable. See Section 3.11.1. 4588 Assessment 4589 Zero or one. An Assessment observable. See Section 3.12. 4591 DetectionPattern 4592 Zero or one. A DetectionPattern observable. See Section 3.12. 4594 HistoryItem 4595 Zero or one. A HistoryItem observable. See Section 3.13.1. 4597 BulkObservable 4598 Zero or one. A bulk list of observables. See Section 3.29.3.1. 4600 AdditionalData 4601 Zero or more. EXTENSION. Mechanism by which to extend the data 4602 model. 4604 The Observable class MUST have exactly one of the possible child 4605 classes. 4607 The attributes of the Observable class are: 4609 restriction 4610 Optional. ENUM. See Section 3.3.1. 4612 ext-restriction 4613 Optional. STRING. A means by which to extend the restriction 4614 attribute. See Section 5.1.1. 4616 3.29.3.1. BulkObservable Class 4618 The BulkObservable class allows the enumeration of a single type of 4619 observables without requiring each one to be encoded individually in 4620 multiple instances of the same class. 4622 The type attribute describes the type of observable listed in the 4623 child BulkObservableList class. The BulkObservableFormat class 4624 optionally provides additional meta-data. 4626 +---------------------------+ 4627 | BulkObservable | 4628 +---------------------------+ 4629 | ENUM type |<>--{0..1}--[ BulkObservableFormat ] 4630 | STRING ext-type |<>----------[ BulkObservableList ] 4631 | |<>--{0..*}--[ AdditionalData ] 4632 +---------------------------+ 4634 Figure 63: The BulkObservable Class 4636 The aggregate classes of the BulkObservable class are: 4638 BulkObservableFormat 4639 Zero or one. Provides additional meta-data about the observables 4640 enumerated in the BulkObservableList class. See 4641 Section 3.29.3.1.1. 4643 BulkObservableList 4644 One. STRING. A list of observables, one per line. Each line is 4645 separated with either a LF character or CR-and-LF characters. The 4646 type attribute specifies which observables will be listed. 4648 AdditionalData 4649 Zero or more. EXTENSION. Mechanism by which to extend the data 4650 model. 4652 The attributes of the BulkObservable class are: 4654 type 4655 Optional. ENUM. The type of the observable listed in the child 4656 ObservableList class. These values are maintained in the 4657 "BulkObservable-type" IANA registry per Section 10.2. 4659 1. asn. Autonomous System Number (per the Address@category 4660 attribute). 4662 2. atm. Asynchronous Transfer Mode (ATM) address (per the 4663 Address@category attribute). 4665 3. e-mail. Email address (per the Address@category attribute). 4667 4. ipv4-addr. IPv4 host address in dotted-decimal notation 4668 (e.g., 192.0.2.1) (per the Address@category attribute). 4670 5. ipv4-net. IPv4 network address in dotted-decimal notation, 4671 slash, significant bits (e.g., 192.0.2.0/24) (per the 4672 Address@category attribute). 4674 6. ipv4-net-mask. IPv4 network address in dotted-decimal 4675 notation, slash, network mask in dotted-decimal notation 4676 (i.e., 192.0.2.0/255.255.255.0) (per the Address@category 4677 attribute). 4679 7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the 4680 Address@category attribute). 4682 8. ipv6-net. IPv6 network address, slash, significant bits 4683 (e.g., 2001:DB8::/32) (per the Address@category attribute). 4685 9. ipv6-net-mask. IPv6 network address, slash, network mask 4686 (per the Address@category attribute). 4688 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f) 4689 (per the Address@category attribute). 4691 11. site-uri. A URL or URI for a resource (per the 4692 Address@category attribute). 4694 12. domain-name. A fully qualified domain name or part of a 4695 name. (e.g., fqdn.example.com, example.com). 4697 13. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as 4698 a comma separated list (e.g., "fqdn.example.com, 192.0.2.1"). 4700 14. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as 4701 a comma separated list (e.g., "fqdn.example.com, 4702 2001:DB8::3"). 4704 15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a 4705 timestamp (in the DATETIME format) of the resolution (e.g., 4706 "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00"). 4708 16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a 4709 timestamp (in the DATETIME format) of the resolution (e.g., 4710 "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00"). 4712 17. ipv4-port. An IPv4 address, port and protocol tuple (e.g., 4713 192.0.2.1, 80, tcp). The protocol name corresponds to the 4714 "Keyword" column in the [IANA.Protocols] registry. 4716 18. ipv6-port. An IPv6 address, port and protocol tuple (e.g., 4717 2001:DB8::3, 80, tcp). The protocol name corresponds to the 4718 "Keyword" column in the [IANA.Protocols] registry. 4720 19. windows-reg-key. A Microsoft Windows Registry key. 4722 20. file-hash. A file hash. The format of this hash is 4723 described in the Hash class that MUST be present in a sibling 4724 BulkObservableFormat class. 4726 21. email-x-mailer. An X-Mailer field from an email. 4728 22. email-subject. An email subject line. 4730 23. http-user-agent. A User Agent field from an HTTP request 4731 header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) 4732 Gecko/20100101 Firefox/38.0"). 4734 24. http-request-uri. The Request URI from an HTTP request 4735 header. 4737 25. mutex. The name of a system mutex. 4739 26. file-path. A file path (e.g., "/tmp/local/file", 4740 "c:\windows\system32\file.sys") 4742 27. user-name. A username. 4744 28. ext-value. A value used to indicate that this attribute is 4745 extended and the actual value is provided using the 4746 corresponding ext-* attribute. See Section 5.1.1. 4748 ext-type 4749 Optional. STRING. A means by which to extend the type attribute. 4750 See Section 5.1.1. 4752 3.29.3.1.1. BulkObservableFormat Class 4754 The ObservableFormat class specifies meta-data about the format of an 4755 observable enumerated in a sibling BulkObservableList class. 4757 +---------------------------+ 4758 | BulkObservableFormat | 4759 +---------------------------+ 4760 | |<>--{0..1}--[ Hash ] 4761 | |<>--{0..*}--[ AdditionalData ] 4762 +---------------------------+ 4764 Figure 64: The BulkObservableFormat Class 4766 The aggregate classes of the BulkObservableFormat class are: 4768 Hash 4769 Zero or one. Describes the format of a hash. See Section 3.26.1. 4771 AdditionalData 4772 Zero or more. EXTENSION. Mechanism by which to extend the data 4773 model. 4775 The BulkObservableFormat class has no attributes. 4777 Either Hash or AdditionalData MUST be present. 4779 3.29.4. IndicatorExpression Class 4781 The IndicatorExpression describes an expression composed of observed 4782 phenomenon or features, or indicators. Elements of the expression 4783 can be described directly, reference relevant data from other parts 4784 of a given IODEF document, or reference previously defined 4785 indicators. 4787 All child classes of a given instance of IndicatorExpression form a 4788 boolean algebraic expression where the operator between them is 4789 determined by the operator attribute. 4791 +--------------------------+ 4792 | IndicatorExpression | 4793 +--------------------------+ 4794 | ENUM operator |<>--{0..*}--[ IndicatorExpression ] 4795 | STRING ext-operator |<>--{0..*}--[ Observable ] 4796 | |<>--{0..*}--[ ObservableReference ] 4797 | |<>--{0..*}--[ IndicatorReference ] 4798 | |<>--{0..1}--[ Confidence ] 4799 | |<>--{0..*}--[ AdditionalData ] 4800 +--------------------------+ 4802 Figure 65: The IndicatorExpression Class 4804 The aggregate classes of the IndicatorExpression class are: 4806 IndicatorExpression 4807 Zero or more. An expression composed of other observables or 4808 indicators. See Section 3.29.4. 4810 Observable 4811 Zero or more. A description of an observable. See 4812 Section 3.29.3. 4814 ObservableReference 4815 Zero or more. A reference to an observable. See Section 3.29.6. 4817 IndicatorReference 4818 Zero or more. A reference to an indicator. See Section 3.29.7. 4820 Confidence 4821 Zero or one. An estimate of the confidence in the quality of the 4822 terms expressed in the expression. See Section 3.12.5. 4824 AdditionalData 4825 Zero or more. EXTENSION. Mechanism by which to extend the data 4826 model. 4828 The attributes of the IndicatorExpression class are: 4830 operator 4831 Optional. ENUM. The operator to be applied between the child 4832 elements. See Section 3.29.5 for parsing guidance. The default 4833 value is "and". These values are maintained in the 4834 "IndicatorExpression-operator" IANA registry per Section 10.2. 4836 1. not. negation operator. 4838 2. and. conjunction operator. 4840 3. or. disjunction operator. 4842 4. xor. exclusive disjunction operator. 4844 ext-operator 4845 Optional. STRING. A means by which to extend the operator 4846 attribute. See Section 5.1.1. 4848 3.29.5. Expressions with IndicatorExpression 4850 Boolean algebraic expressions can be used to specify relationships 4851 between observables and indicator. These expressions are constructed 4852 through the use of the operator attribute and parent-child 4853 relationships in IndicatorExpressions. These expressions should be 4854 parsed as follows: 4856 1. The operator specified by the operator attribute is applied 4857 between each of the child elements of the immediate parent 4858 IndicatorExpression element. If no operator attribute is 4859 specified, it should be assumed to be the conjunction operator 4860 (i.e., operator="and"). 4862 2. A nested IndicatorExpression element with a parent 4863 IndicatorExpression is the equivalent of a parentheses in the 4864 expression. 4866 The following four examples in Figure 66 through Figure 70 illustrate 4867 these parsing rules: 4869 1 : 4870 2 [O1]: .. 4871 3 [O2]: .. 4872 4 : 4874 Equivalent expression: (O1 AND O2) 4876 Figure 66: Nested elements in an IndicatorExpression without an 4877 operator attribute specified 4879 1 : 4880 2 [O1]: .. 4881 3 [O2]: .. 4882 4 : 4884 Equivalent expression: (O1 OR O2) 4886 Figure 67: Nested elements in an IndicatorExpression with an operator 4887 attribute specified 4889 1 : 4890 2 : 4891 3 [O1]: .. 4892 4 [O2]: .. 4893 5 : 4894 6 [O3]: .. 4895 7 : 4897 Equivalent expression: ((O1 OR O2) OR O3) 4899 Figure 68: Nested elements with a recursive IndicatorExpression with 4900 an operator attribute specified 4902 1 : 4903 2 : 4904 3 [O1]: .. 4905 4 [O2]: .. 4906 5 : 4907 6 : 4909 Equivalent expression: (NOT (O1 AND O2)) 4911 Figure 69: A recursive IndicatorExpression with an operator attribute 4912 specified 4914 1 : 4915 2 : 4916 3 [O1 with low confidence] : .. 4917 4 : 4918 5 : 4919 6 : 4920 7 [O2 with high confidence]: .. 4921 8 : 4922 9 : 4923 10 : 4925 Equivalent expression: ((O1) OR (O2)) 4927 Figure 70: Varying confidence on particular Observables 4929 Invalid algebraic expressions while valid XML, MUST NOT be specified. 4931 3.29.6. ObservableReference Class 4933 The ObservableReference describes a reference to an observable 4934 feature or phenomenon described elsewhere in the document. 4936 The ObservableReference class has no content. 4938 +-------------------------+ 4939 | ObservableReference | 4940 +-------------------------+ 4941 | IDREF uid-ref | 4942 +-------------------------+ 4944 Figure 71: The ObservableReference Class 4946 The ObservableReference class has no content. 4948 The attribute of the ObservableReference class is: 4950 uid-ref 4951 Required. IDREF. An identifier that serves as a reference to a 4952 class in the IODEF document. The referenced class will have this 4953 identifier set in its observable-id attribute. 4955 3.29.7. IndicatorReference Class 4957 The IndicatorReference describes a reference to an indicator. This 4958 reference may be to an indicator described in this IODEF document or 4959 in a previously exchanged IODEF document. 4961 The IndicatorReference class has no content. 4963 +--------------------------+ 4964 | IndicatorReference | 4965 +--------------------------+ 4966 | IDREF uid-ref | 4967 | STRING euid-ref | 4968 | STRING version | 4969 +--------------------------+ 4971 Figure 72: The IndicatorReference Class 4973 The attributes of the IndicatorReference class are: 4975 uid-ref 4976 Optional. IDREF. An identifier that references an Indicator 4977 class in the IODEF document. The referenced Indicator class will 4978 have this identifier set in its IndicatorID class. 4980 euid-ref 4981 Optional. STRING. An identifier that references an IndicatorID 4982 not in this IODEF document. 4984 version 4985 Optional. STRING. A version number of an indicator. 4987 Either the uid-ref or the euid-ref attribute MUST be set. 4989 3.29.8. AttackPhase Class 4991 The AttackPhase class describes a particular phase of an attack 4992 lifecycle. 4994 +------------------------+ 4995 | AttackPhase | 4996 +------------------------+ 4997 | |<>--{0..*}--[ AttackPhaseID ] 4998 | |<>--{0..*}--[ URL ] 4999 | |<>--{0..*}--[ Description ] 5000 | |<>--{0..*}--[ AdditionalData ] 5001 +------------------------+ 5003 Figure 73: AttackPhase Class 5005 The aggregate classes of the AttackPhase class are: 5007 AttackPhaseID 5008 Zero or more. STRING. An identifier for the phase of the attack. 5010 URL 5011 Zero or more. URL. A URL to a resource describing this phase of 5012 the attack. 5014 Description 5015 Zero or more. ML_STRING. A free-form text description of this 5016 phase of the attack. 5018 AdditionalData 5019 Zero or more. EXTENSION. A mechanism by which to extend the data 5020 model. 5022 AttackPhase MUST have at least one instance of a child class. 5024 The AttackPhase class has no attributes. 5026 4. Processing Considerations 5028 This section provides additional requirements and guidance on 5029 creating and processing IODEF documents. 5031 4.1. Encoding 5033 Every IODEF document MUST begin with an XML declaration and MUST 5034 specify the XML version used. The character encoding MUST also be 5035 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16 5036 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD 5037 NOT be used. The IODEF conforms to all XML data encoding conventions 5038 and constraints. 5040 The XML declaration with UTF-8 character encoding will read as 5041 follows: 5043 5045 Certain characters have special meaning in XML and MUST not appear in 5046 literal form. Per Section 2.4 of [W3C.XML], these characters MUST be 5047 escaped with a numeric character or entity reference. 5049 4.2. IODEF Namespace 5051 The IODEF schema declares a namespace of 5052 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 5053 Each IODEF document MUST include a valid reference to the IODEF 5054 schema using the "xsi:schemaLocation" attribute. An example of such 5055 a declaration would look as follows: 5057 5062 4.3. Validation 5064 IODEF documents MUST be well-formed XML. It is RECOMMENDED that 5065 recipients validate the document against the schema described in 5066 Section 8. However, mere conformance to this schema is not 5067 sufficient for a semantically valid IODEF document. The text of 5068 Section 3 describes further formatting and constraints; some that 5069 cannot be conveniently encoded in the schema. These MUST also be 5070 considered by an IODEF implementation. Furthermore, the enumerated 5071 values present in this document are a static list that will be 5072 incomplete over time as select attributes can be extended by a 5073 corresponding IANA registry per Section 10.2. Therefore, IODEF 5074 implementations SHOULD periodically update their schema and MAY need 5075 to update their parsing algorithms to incorporate newly registered 5076 values. 5078 4.4. Incompatibilities with v1 5080 The IODEF data model in this document makes a number of changes to 5081 [RFC5070]. These changes were largely additive -- classes and 5082 enumerated values were added. However, some incompatibilities 5083 between [RFC5070] and this new specification were introduced. These 5084 incompatibilities are as follows: 5086 o The IODEF-Document@version attribute is set to "2.0". 5088 o Attributes with enumerated values can now also be extended with 5089 IANA registries. 5091 o All iodef:MLStringType classes use xml:lang. IODEF-Document also 5092 uses xml:lang. 5094 o The Service@ip_protocol attribute was renamed to @ip-protocol. 5096 o The Node/NodeName class was removed in favor of representing 5097 domain names with Node/DomainData/Name class. The Node/DataTime 5098 class was also removed so that the Node/DomainData/ 5099 DateDomainWasChecked class can represent the time at which the 5100 name to address resolution occurred. 5102 o The Node/NodeRole class was moved to System/NodeRole. 5104 o The Reference class is now defined by [RFC7495]. 5106 o The data previously represented in the Impact class is now in the 5107 SystemImpact and IncidentCategory classes. The Impact class has 5108 been removed. 5110 o The semantics of Counter@type are now represented in Counter@unit. 5112 o The IODEF-Document@formatid attribute has been renamed to @format- 5113 id. 5115 o Incident/ReportTime is no longer mandatory. However, 5116 GenerationTime is. 5118 o The Fax class was removed and is now represented by a generic 5119 Telephone class. 5121 o The Telephone, Email and PostalAddress classes were redefined from 5122 improved internationalization. 5124 o The "ipv6-net-mask" value was remove from category attribute of 5125 Address. 5127 5. Extending the IODEF 5129 In order to support the dynamic nature of security operations, the 5130 IODEF data model will need to continue to evolve. This section 5131 discusses how new data elements can be incorporated into the IODEF. 5132 There is support to add additional enumerated values and new classes. 5133 Adding additional attributes to existing classes is not supported. 5135 These extension mechanisms are designed so that adding new data 5136 elements is possible without requiring a modifications to this 5137 document. Extensions can be implemented publicly or privately. With 5138 proven value, well documented extensions can be incorporated into 5139 future versions of the specification. 5141 5.1. Extending the Enumerated Values of Attributes 5143 Additional enumerated values can be added to select attributes either 5144 through the use of specially marked attributes with the "ext-" prefix 5145 or through a set of corresponding IANA registries. The former 5146 approach allows for the extension to remain private. The latter 5147 approach is public. 5149 5.1.1. Private Extension of Enumerated Values 5151 The data model supports adding new enumerated values to an attribute 5152 without public registration. For each attribute that supports this 5153 extension technique, there is a corresponding attribute in the same 5154 element whose name is identical but with a prefix of "ext-". This 5155 special attribute is referred to as the extension attribute. The 5156 attribute being extended is referred to as an extensible attribute. 5157 For example, an extensible attribute named "foo" will have a 5158 corresponding extension attribute named "ext-foo". An element may 5159 have many extensible attributes. 5161 In addition to a corresponding extension attribute, each extensible 5162 attribute has "ext-value" as one its possible enumerated values. 5163 Selection of this particular value in an extensible attribute signals 5164 that the extension attribute contains data. Otherwise, this "ext- 5165 value" value has no meaning. 5167 In order to add a new enumerated value to an extensible attribute, 5168 the value of this attribute MUST be set to "ext-value", and the new 5169 desired value MUST be set in the corresponding extension attribute. 5170 For example, extending the type attribute of the SystemImpact class 5171 would look as follows: 5173 5175 A given extension attribute MUST NOT be set unless the corresponding 5176 extensible attribute has been set to "ext-value". 5178 5.1.2. Public Extension of Enumerated Values 5180 The data model also supports publicly extending select enumerated 5181 attributes. A new entry can be added by registering a new entry in 5182 the appropriate IANA registry. Section 10.2 provides a mapping 5183 between the extensible attributes and their corresponding registry. 5184 Section 4.3 discusses the XML Validation implications of this type of 5185 extension. All extensible attributes that support private extensions 5186 also support public extensions. 5188 5.2. Extending Classes 5190 Classes of the EXTENSION (iodef:ExtensionType) type can extend the 5191 data model. They provide the ability to have new atomic or XML- 5192 encoded data elements in all of the top-level classes of the Incident 5193 class and a few of the complex subordinate classes. As there are 5194 multiple instances of the extensible classes in the data model, there 5195 is discretion on where to add a new data element. It is RECOMMENDED 5196 that the extension be placed in the most closely related class to the 5197 new information. 5199 Extensions using the atomic data types (i.e., all values of the dtype 5200 attributes other than "xml") MUST: 5202 1. Set the element content to the desired value, and 5204 2. Set the dtype attribute to correspond to the data type of the 5205 element content. 5207 The following guidelines exist for extensions using XML (i.e., 5208 dtype="xml"): 5210 1. The element content of the extensible class MUST be set to the 5211 desired value and the dtype attribute MUST be set to "xml". 5213 2. The extension schema MUST declare a separate namespace. It is 5214 RECOMMENDED that these extensions have the prefix "iodef-". This 5215 recommendation makes readability of the document easier by 5216 allowing the reader to infer which namespaces relate to IODEF by 5217 inspection. 5219 3. It is RECOMMENDED that extension schemas follow the naming 5220 convention of the IODEF data model. This too improves the 5221 readability of extended IODEF documents. The names of all 5222 elements SHOULD be capitalized. For elements with composed 5223 names, a capital letter SHOULD be used for each word. Attribute 5224 names SHOULD be in lower case. Attributes with composed names 5225 SHOULD be separated by a hyphen. 5227 4. Implementations that encounter an unrecognized element, attribute 5228 or attribute value in a supported namespace SHOULD reject the 5229 document as a syntax error. 5231 5. There are security and performance implications in requiring 5232 implementations to dynamically download schemas at run time. 5233 Therefore, implementations MUST NOT download schemas at runtime 5234 unless the appropriate precautions are taken. Implementations 5235 also need to contend with the potential of significant network 5236 and processing issues. 5238 6. Some adopters of the IODEF may have private schema definitions 5239 that are not publicly available. Thus implementations may 5240 encounter IODEF documents with references to private schemas that 5241 may not be resolvable. Hence, IODEF document recipients MUST be 5242 prepared for a schema definition in an IODEF document never to 5243 resolve. 5245 The following schema and XML document excerpt provide a template for 5246 an extension schema and its use in the IODEF document. 5248 This example schema defines a namespace of "iodef-extension1" and a 5249 single element named "newdata". 5251 5255 attributeFormDefault="unqualified" 5256 elementFormDefault="qualified"> 5257 5261 5262 5264 The following XML excerpt demonstrates the use of the above schema as 5265 an extension to the IODEF. 5267 5274 5275 ... 5276 5277 5278 Field that could not be represented elsewhere 5279 5280 5281 5282 5309 If an unrecognized private extension is encountered in processing, 5310 the recipient MAY reject the entire document as a syntax error. 5312 6. Internationalization Issues 5314 Internationalization and localization is of specific concern to the 5315 IODEF as it facilitates operational coordination with a diverse set 5316 of partners. The IODEF implements internationalization by relying on 5317 XML constructs and through explicit design choices in the data model. 5319 Since the IODEF is implemented as an XML Schema, it supports 5320 different character encodings, such as UTF-8 and UTF-16, possible 5321 with XML. Additionally, each IODEF document MUST specify the 5322 language in which its content is encoded. The language can be 5323 specified with the attribute "xml:lang" (per Section 2.12 of 5324 [W3C.XML]) in the top-level element (i.e., IODEF-Document) and 5325 letting all other elements inherit that definition. All IODEF 5326 classes with a free-form text definition (i.e., all those defined 5327 with type iodef:MLStringType) can also specify a language different 5328 from the rest of the document. 5330 The data model supports multiple translations of free-form text. All 5331 ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality 5332 to their parent. This allows the identical text translated into 5333 different languages to be encoded in different instances of the same 5334 class with a common parent. This design also enables the creation of 5335 a single document containing all the translations. The IODEF 5336 implementation SHOULD extract the appropriate language relevant to 5337 the recipient. 5339 Related instances of a given iodef:MLStringType class that are 5340 translations of each other are identified by a common identifier set 5341 in the translation-id attribute. The example below shows three 5342 instances of a Description class expressed in three different 5343 languages. The relationship between these three instances of the 5344 Description class is conveyed by the common value of "1" in the 5345 translation-id attribute. 5347 5349 ... 5350 English 5352 Englisch 5354 Anglais 5357 The IODEF balances internationalization support with the need for 5358 interoperability. While the IODEF supports different languages, the 5359 data model also relies heavily on standardized enumerated attributes 5360 that can crudely approximate the contents of the document. With this 5361 approach, a CSIRT should be able to make some sense of an IODEF 5362 document it receives even if the free-form text data elements are 5363 written in a language unfamiliar to the recipient. 5365 7. Examples 5367 This section provides example of IODEF documents. These examples do 5368 not represent the full capabilities of the data model or the the only 5369 way to encode particular information. 5371 7.1. Minimal Example 5373 A document containing only the mandatory elements and attributes. 5375 5376 5377 5383 5384 492382 5385 2015-07-18T09:00:00-05:00 5386 5387 5388 contact@csirt.example.com 5389 5390 5391 5392 5393 5395 7.2. Indicators from a Campaign 5397 An example of C2 domains from a given campaign. 5399 5400 5401 5407 5408 897923 5409 5410 5411 5412 TA-12-AGGRESSIVE-BUTTERFLY 5413 5414 Aggressive Butterfly 5415 5416 5417 C-2015-59405 5418 Orange Giraffe 5419 5420 5421 2015-10-02T11:18:00-05:00 5422 Summarizes the Indicators of Compromise 5423 for the Orange Giraffe campaign of the Aggressive 5424 Butterfly crime gang. 5425 5426 5427 5428 5429 5430 CSIRT for example.com 5431 5432 contact@csirt.example.com 5433 5434 5435 5436 5437 5438 G90823490 5439 5440 C2 domains 5441 2014-12-02T11:18:00-05:00 5442 5443 5444 5445 kj290023j09r34.example.com 5446 09ijk23jfj0k8.example.net 5447 klknjwfjiowjefr923.example.org 5448 oimireik79msd.example.org 5449 5450 5451 5452 5454 5455 5456 5458 8. The IODEF Data Model (XML Schema) 5460 5461 5470 5473 5476 5479 5481 5482 5483 Incident Object Description Exchange Format v2.0 5484 5485 5486 5491 5492 5493 5494 5495 5497 5498 5499 5500 5501 5503 5505 5506 5507 5512 5513 5514 5515 5516 5517 5519 5520 5521 5522 5523 5524 5525 5527 5529 5531 5533 5534 5536 5537 5538 5540 5541 5543 5545 5546 5548 5549 5552 5554 5555 5556 5557 5558 5559 5560 5561 5562 5563 5564 5565 5566 5567 5568 5569 5570 5571 5572 5573 5574 5575 5576 5577 5582 5583 5584 5585 5586 5587 5589 5591 5593 5594 5595 5596 5601 5602 5603 5604 5605 5606 5608 5610 5611 5612 5617 5618 5619 5620 5622 5624 5626 5628 5630 5631 5633 5635 5636 5638 5640 5641 5642 5643 5644 5645 5647 5648 5650 5652 5653 5655 5657 5658 5659 5660 5661 5662 5663 5665 5667 5669 5671 5672 5674 5676 5677 5678 5679 5684 5685 5686 5687 5689 5691 5693 5695 5697 5699 5701 5702 5704 5706 5707 5709 5711 5713 5715 5717 5719 5720 5721 5722 5723 5724 5725 5726 5727 5728 5729 5730 5731 5732 5733 5734 5735 5736 5737 5738 5739 5740 5741 5743 5744 5745 5746 5747 5748 5749 5750 5751 5752 5753 5754 5755 5756 5757 5759 5761 5762 5763 5764 5765 5766 5767 5768 5769 5770 5771 5772 5773 5774 5775 5776 5777 5778 5779 5780 5781 5783 5784 5786 5787 5788 5789 5790 5791 5792 5793 5794 5795 5796 5797 5798 5799 5800 5801 5803 5804 5806 5807 5808 5809 5810 5811 5812 5813 5814 5815 5816 5817 5818 5819 5820 5821 5822 5823 5825 5826 5828 5829 5830 5831 5832 5833 5834 5835 5836 5837 5838 5843 5844 5845 5846 5847 5848 5849 5850 5851 5856 5857 5858 5859 5860 5861 5863 5865 5866 5867 5868 5869 5870 5871 5872 5873 5875 5877 5879 5880 5882 5884 5886 5888 5889 5890 5891 5892 5897 5898 5899 5900 5902 5904 5905 5906 5907 5908 5910 5912 5913 5915 5917 5918 5919 5920 5925 5926 5927 5928 5930 5932 5934 5935 5938 5940 5942 5944 5945 5946 5947 5948 5949 5950 5951 5952 5953 5954 5955 5956 5957 5958 5959 5960 5961 5962 5963 5964 5965 5966 5967 5968 5969 5970 5971 5972 5973 5974 5976 5979 5980 5982 5984 5985 5986 5987 5992 5993 5994 5995 5997 5999 6001 6003 6005 6007 6008 6010 6012 6013 6014 6019 6020 6021 6022 6023 6025 6027 6028 6029 6030 6031 6036 6037 6038 6039 6041 6042 6043 6044 6045 6046 6047 6048 6050 6052 6054 6055 6057 6058 6059 6060 6061 6062 6063 6064 6065 6066 6068 6070 6071 6072 6073 6074 6075 6076 6077 6078 6079 6080 6081 6083 6084 6086 6089 6092 6093 6094 6095 6096 6097 6098 6099 6100 6101 6102 6103 6104 6105 6106 6107 6108 6109 6110 6111 6112 6113 6114 6115 6116 6117 6118 6119 6120 6121 6122 6123 6124 6125 6126 6128 6129 6130 6131 6132 6134 6135 6137 6139 6142 6143 6144 6145 6146 6147 6148 6149 6150 6151 6152 6153 6154 6155 6156 6157 6158 6159 6160 6161 6162 6163 6164 6165 6166 6167 6168 6169 6170 6171 6172 6173 6174 6175 6176 6177 6179 6181 6182 6184 6185 6186 6187 6188 6189 6190 6191 6192 6193 6194 6195 6196 6197 6198 6199 6200 6201 6202 6203 6204 6205 6206 6207 6208 6210 6212 6213 6214 6215 6216 6217 6218 6219 6220 6221 6222 6223 6224 6229 6230 6231 6232 6234 6235 6236 6237 6238 6239 6241 6243 6244 6246 6248 6250 6251 6253 6255 6256 6258 6260 6261 6262 6263 6268 6269 6270 6271 6273 6274 6275 6276 6281 6282 6283 6284 6285 6287 6289 6291 6293 6296 6298 6300 6301 6302 6304 6305 6307 6310 6312 6314 6316 6318 6319 6320 6321 6322 6323 6324 6325 6326 6327 6328 6329 6330 6331 6332 6333 6334 6335 6336 6337 6338 6339 6340 6341 6342 6343 6348 6349 6350 6351 6352 6354 6356 6357 6358 6360 6362 6363 6364 6365 6366 6367 6368 6369 6372 6374 6375 6376 6378 6379 6380 6381 6382 6383 6384 6385 6386 6387 6388 6389 6390 6391 6392 6393 6394 6395 6396 6397 6398 6399 6400 6401 6402 6403 6405 6406 6408 6410 6411 6412 6413 6414 6415 6416 6417 6418 6419 6420 6421 6422 6423 6424 6425 6426 6427 6428 6429 6430 6431 6432 6433 6434 6435 6436 6437 6438 6439 6440 6441 6442 6443 6444 6445 6446 6447 6448 6449 6450 6451 6452 6453 6454 6455 6456 6457 6458 6459 6460 6461 6462 6463 6464 6465 6466 6467 6468 6469 6470 6475 6476 6477 6478 6479 6480 6481 6482 6483 6484 6485 6486 6487 6488 6490 6491 6492 6493 6494 6495 6496 6497 6498 6499 6500 6501 6503 6504 6505 6506 6508 6509 6510 6511 6514 6516 6518 6519 6520 6521 6522 6523 6528 6529 6530 6531 6532 6534 6536 6538 6540 6542 6543 6545 6546 6547 6548 6549 6550 6551 6552 6553 6554 6555 6556 6557 6558 6559 6560 6561 6562 6563 6564 6565 6566 6567 6568 6569 6570 6571 6572 6573 6578 6579 6580 6581 6583 6584 6585 6586 6588 6589 6590 6591 6593 6595 6596 6597 6598 6599 6600 6601 6602 6603 6604 6605 6606 6607 6612 6613 6614 6615 6616 6618 6620 6622 6624 6626 6628 6629 6631 6633 6635 6637 6638 6639 6640 6641 6642 6643 6644 6645 6646 6647 6648 6649 6650 6651 6652 6653 6654 6655 6656 6657 6658 6659 6660 6661 6662 6663 6664 6665 6666 6667 6668 6669 6670 6671 6672 6673 6674 6675 6676 6677 6678 6679 6680 6681 6682 6683 6685 6686 6687 6688 6689 6694 6695 6696 6697 6698 6699 6701 6703 6704 6705 6706 6707 6708 6709 6711 6712 6714 6716 6718 6720 6722 6724 6726 6727 6729 6731 6732 6733 6734 6735 6736 6737 6738 6741 6743 6745 6748 6750 6752 6753 6755 6756 6757 6758 6759 6760 6761 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 6772 6773 6778 6779 6780 6781 6782 6783 6784 6785 6786 6787 6788 6789 6790 6791 6792 6794 6796 6797 6798 6799 6800 6801 6802 6803 6804 6805 6806 6807 6808 6809 6810 6811 6812 6817 6818 6819 6820 6822 6823 6825 6827 6828 6829 6830 6831 6832 6833 6834 6835 6836 6838 6839 6840 6841 6843 6844 6845 6846 6847 6848 6849 6850 6851 6852 6857 6858 6859 6860 6861 6863 6865 6866 6868 6869 6870 6871 6872 6873 6874 6875 6876 6877 6878 6879 6880 6881 6882 6883 6884 6885 6886 6887 6888 6889 6890 6892 6893 6894 6895 6896 6897 6898 6899 6901 6902 6904 6905 6906 6907 6908 6913 6914 6915 6916 6917 6918 6919 6920 6925 6926 6927 6928 6929 6930 6932 6934 6935 6936 6937 6938 6939 6940 6941 6943 6944 6945 6946 6947 6952 6953 6954 6955 6957 6958 6959 6960 6961 6962 6963 6964 6966 6968 6969 6970 6971 6973 6974 6975 6976 6977 6978 6979 6981 6983 6985 6987 6988 6990 6992 6993 6994 6995 6996 6997 6998 6999 7001 7002 7003 7004 7005 7006 7007 7008 7009 7010 7012 7014 7015 7016 7017 7018 7019 7020 7021 7022 7023 7024 7026 7027 7028 7029 7030 7031 7032 7033 7034 7035 7036 7037 7038 7040 7041 7044 7046 7047 7048 7049 7050 7051 7052 7053 7055 7056 7058 7059 7060 7061 7062 7063 7064 7065 7066 7067 7068 7069 7070 7071 7072 7073 7074 7075 7076 7077 7078 7079 7080 7081 7082 7083 7084 7085 7086 7087 7088 7089 7090 7091 7092 7093 7094 7095 7096 7098 7099 7100 7101 7102 7103 7104 7105 7106 7107 7108 7109 7110 7111 7112 7114 7115 7118 7120 7121 7122 7123 7124 7125 7126 7127 7128 7129 7130 7131 7132 7133 7134 7135 7136 7137 7138 7139 7141 7142 7143 7144 7145 7146 7148 7149 7151 7153 7154 7155 7156 7157 7162 7163 7164 7165 7170 7171 7172 7173 7174 7175 7176 7177 7178 7180 7181 7182 7183 7184 7185 7186 7187 7188 7189 7190 7191 7193 7194 7195 7196 7197 7199 7201 7202 7204 7205 7206 7207 7209 7211 7212 7213 7214 7215 7216 7218 7220 7221 7222 7223 7224 7225 7227 7228 7231 7233 7236 7238 7239 7240 7241 7242 7243 7244 7245 7246 7247 7248 7249 7250 7251 7252 7253 7254 7255 7256 7257 7258 7263 7264 7265 7266 7267 7268 7269 7270 7271 7272 7273 7274 7275 7276 7277 7278 7279 7280 7281 7282 7283 7284 7285 7286 7287 7288 7289 7290 7291 7292 7293 7294 7295 7296 7297 7298 7299 7300 7301 7302 7303 7304 7305 7306 7307 7308 7309 7310 7311 7312 7313 7314 7315 7316 7317 7318 7319 7320 7321 7322 7323 7324 7325 7326 7327 7328 7329 7330 7331 7332 7333 7334 7335 7336 7337 7338 7339 7340 7341 7342 7343 7344 7345 7346 7347 7348 7349 7350 7351 7352 7353 7354 7355 7357 9. Security Considerations 7359 The IODEF data model does not directly introduce security or privacy 7360 issues. However, as the data encoded by the IODEF might be 7361 considered sensitive by the parties exchanging it or by those 7362 described by it, care needs to be taken to ensure appropriate 7363 handling during the document construction, exchange, processing, 7364 archiving, subsequent retrieval and analysis. 7366 9.1. Security 7368 The underlying messaging format and protocol used to exchange 7369 instances of the IODEF MUST provide appropriate guarantees of 7370 confidentiality, integrity, and authenticity. The use of a 7371 standardized security protocol is encouraged. The Real-time Inter- 7372 network Defense (RID) protocol [RFC6545] and its associated transport 7373 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 7375 An IODEF implementation may act on the data in the document. These 7376 actions might be explicitly requested in the document or the result 7377 of analytical logic that triggered on data in the document. For this 7378 reason, care must be taken by IODEF implementations to properly 7379 authenticate the sender and receiver of the document. The sender 7380 needs confidence that sensitive information and timely requests for 7381 action are sent to the correct recipient. The recipient may 7382 interpret the contents of the document differently based on who sent 7383 it; or vary actions based on the sender. While the sender of the 7384 document may explicitly convey confidence in the data in a granular 7385 way using the Confidence class, the recipient is free to ignore or 7386 refine this information to make its own assessment. Ambiguous 7387 Confidence elements (where it is unclear to which of a set of other 7388 elements the Confidence element relates) in a document MUST be 7389 ignored by the recipient. 7391 Certain classes may require out-of-band coordination to agree upon 7392 their semantics (e.g., Confidence@rating="low" or DefinedCOA). This 7393 coordination MUST occur prior to operational data exchange to prevent 7394 the incorrect interpretation of these select data elements. When 7395 parsing these data elements, implementations should validate, when 7396 possible, that they conform to the agreed upon semantics. These 7397 semantics may need to be periodically reevaluated. 7399 Executable content of various forms could be embedded into the IODEF 7400 document directly or through an extension. Implementation MUST 7401 handle this content with care to prevent unintentional automated 7402 execution. The following classes are explicitly intended to 7403 represent content that might be executable: 7405 o All classes of type iodef:ExtensionType and the RecordPattern 7406 class can represent arbitrary binary strings such as legitimate 7407 software programs or malware. 7409 o The EmailMessage and EmailBody classes can represent email 7410 attachments that can contain arbitrary content. 7412 o The DetectionPattern class could specify a machine-readable 7413 configuration that directs the execution of the corresponding 7414 tool. 7416 Per Section 4.3, IODEF implementations will need to periodically 7417 consult the IANA registries specified in Section 10.2 to discover 7418 newly registered enumerated attribute values. These implementations 7419 MUST communicate with IANA in a way that ensures the integrity of the 7420 values and the authenticity of the source. HTTPS over TLS 7421 [RFC2818][RFC5246] provides such security. 7423 9.2. Privacy 7425 The IODEF contains numerous fields that are identifiers which could 7426 be linked to an individual or organization. IODEF documents may 7427 contain sensitive information about these identified parties; and 7428 repeated document exchanges about the same and related parties may 7429 enable the correlation of data about them. Likewise, a party may 7430 report on another to a third party without their knowledge. 7432 When creating an IODEF document, careful consideration must be given 7433 to what information is shared. Personal identifiers and attributable 7434 sensitive information should only be shared when necessary. 7436 When exchanging documents, transport security MUST provide document- 7437 level confidentiality. XML element-level confidentiality can also be 7438 provided by using [W3C.XMLENC]. 7440 In order to suggest data processing and handling guidelines of the 7441 encoded information, the IODEF allows a document sender to convey a 7442 privacy policy using the restriction attribute. The various 7443 instances of this attribute allow different data elements of the 7444 document to be covered by dissimilar policies. While flexible, it 7445 must be stressed that this approach only serves as a guideline from 7446 the sender, as the recipient is free to ignore it. 7448 Although outside of the scope of an IODEF implementation, the 7449 contents of IODEF documents and any derived analysis should be 7450 archived with at appropriate confidentiality controls. Likewise, 7451 access to retrieve and analyze this data should be restricted to 7452 authorized users. 7454 10. IANA Considerations 7456 This document registers a namespace, an XML schema, and a number of 7457 registries that map to enumerated values defined in the data model. 7458 It also defines an expert review process for IODEF-related XML 7459 registry entries. 7461 10.1. Namespace and Schema 7463 This document uses URNs to describe an XML namespace and schema 7464 conforming to a registry mechanism described in [RFC3688] 7466 Registration for the IODEF namespace: 7468 o URI: urn:ietf:params:xml:ns:iodef-2.0 7470 o Registrant Contact: See the first author of the "Author's Address" 7471 section of this document. 7473 o XML: None. Namespace URIs do not represent an XML specification. 7475 Registration for the IODEF XML schema: 7477 o URI: urn:ietf:params:xml:schema:iodef-2.0 7479 o Registrant Contact: See the first author of the "Author's Address" 7480 section of this document. 7482 o XML: See Section 8 of this document. 7484 10.2. Enumerated Value Registries 7486 This document creates 34 identically structured registries to be 7487 managed by IANA: 7489 o Name of the parent registry: "Incident Object Description Exchange 7490 Format v2 (IODEF)" 7492 o URL of the registry: http://www.iana.org/assignments/iodef2 7494 o Namespace format: A registry entry consists of: 7496 * Value. A value for a given IODEF attribute. It MUST conform 7497 to the formatting specified by the IODEF ENUM data type which 7498 is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of 7499 [W3C.SCHEMA.DTYPES]. The value SHOULD conform to the 7500 convention specified in Section 5.2. 7502 * Description. A short description of the enumerated value. 7504 * Reference. An optional list of URIs to further describe the 7505 value. 7507 o Allocation policy: Expert Review per [RFC5226]. This reviewer 7508 will ensure that the requested registry entry conforms to the 7509 prescribed formatting. The reviewer will also ensure that the 7510 entry is an appropriate value for the attribute per the 7511 information model (Section 3). 7513 The registries to be created are named in the "Registry Name" column 7514 of Table 1. Each registry is initially populated with values and 7515 descriptions that come from an attribute specified in the IODEF 7516 schema (Section 8) whose description is found in a sub-section of the 7517 information model (Section 3). The initial values for the Value and 7518 Description fields of a given registry are listed in the "IV (Value)" 7519 and "IV (Description)" columns respectively. The "IV (Value)" points 7520 to a given schema type per Section 8. Each enumerated value in the 7521 schema gets a corresponding entry in a given registry. The "IV 7522 (Description)" points to a section in the text of this document that 7523 describes each enumerated value. The initial value of the Reference 7524 field of every registry entry described below should be this 7525 document. 7527 +-----------------------+---------------------------+---------------+ 7528 | Registry Name | IV (Value) | IV | 7529 | | | (Description) | 7530 +-----------------------+---------------------------+---------------+ 7531 | Restriction | iodef-restriction-type | Section 3.3.1 | 7532 | | | | 7533 | Incident-purpose | incident-purpose-type | Section 3.2 | 7534 | | | | 7535 | Incident-status | incident-status-type | Section 3.2 | 7536 | | | | 7537 | Contact-role | contact-role-type | Section 3.9 | 7538 | | | | 7539 | Contact-type | contact-type-type | Section 3.9 | 7540 | | | | 7541 | RegistryHandle- | registryhandle-registry- | Section 3.9.1 | 7542 | registry | type | | 7543 | | | | 7544 | PostalAddress-type | postaladdress-type-type | Section 3.9.2 | 7545 | | | | 7546 | Telephone-type | telephone-type-type | Section 3.9.4 | 7547 | | | | 7548 | Email-type | email-type-type | Section 3.9.3 | 7549 | | | | 7550 | Expectation-action | action-type | Section 3.15 | 7551 | | | | 7552 | Discovery-source | discovery-source-type | Section 3.10 | 7553 | | | | 7554 | SystemImpact-type | systemimpact-type-type | Section | 7555 | | | 3.12.1 | 7556 | | | | 7557 | BusinessImpact- | businessimpact-severity- | Section | 7558 | severity | type | 3.12.2 | 7559 | | | | 7560 | BusinessImpact-type | businessimpact-type-type | Section | 7561 | | | 3.12.2 | 7562 | | | | 7563 | TimeImpact-metric | timeimpact-metric-type | Section | 7564 | | | 3.12.3 | 7565 | | | | 7566 | TimeImpact-duration | duration-type | Section | 7567 | | | 3.12.3 | 7568 | | | | 7569 | Confidence-rating | confidence-rating-type | Section | 7570 | | | 3.12.5 | 7571 | | | | 7572 | NodeRole-category | noderole-category-type | Section | 7573 | | | 3.18.2 | 7574 | | | | 7575 | System-category | system-category-type | Section 3.17 | 7576 | | | | 7577 | System-ownership | system-ownership-type | Section 3.17 | 7578 | | | | 7579 | Address-category | address-category-type | Section | 7580 | | | 3.18.1 | 7581 | | | | 7582 | Counter-type | counter-type-type | Section | 7583 | | | 3.18.3 | 7584 | | | | 7585 | Counter-unit | counter-unit-type | Section | 7586 | | | 3.18.3 | 7587 | | | | 7588 | DomainData-system- | domaindata-system-status- | Section 3.19 | 7589 | status | type | | 7590 | | | | 7591 | DomainData-domain- | domaindata-domain-status- | Section 3.19 | 7592 | status | type | | 7593 | | | | 7594 | RecordPattern-type | recordpattern-type-type | Section | 7595 | | | 3.22.2 | 7596 | | | | 7597 | RecordPattern- | recordpattern-offsetunit- | Section | 7598 | offsetunit | type | 3.22.2 | 7599 | | | | 7600 | Key-registryaction | key-registryaction-type | Section | 7601 | | | 3.23.1 | 7602 | | | | 7603 | HashData-scope | hashdata-scope-type | Section 3.26 | 7604 | | | | 7605 | BulkObservable-type | bulkobservable-type-type | Section | 7606 | | | 3.29.3.1 | 7607 | | | | 7608 | IndicatorExpression- | indicatorexpression- | Section | 7609 | operator | operator-type | 3.29.4 | 7610 | | | | 7611 | ExtensionType-dtype | dtype-type | Section 2.16 | 7612 | | | | 7613 | SoftwareReference- | softwarereference-spec- | Section | 7614 | spec-id | id-type | 2.15.1 | 7615 | | | | 7616 | SoftwareReference- | softwarereference-dtype- | Section | 7617 | dtype | type | 2.15.1 | 7618 +-----------------------+---------------------------+---------------+ 7619 Table 1: IANA Enumerated Value Registries 7621 10.3. Expert Review of IODEF-Related XML Registry Entries 7623 IODEF class extensions, per Section 5.2, could register their 7624 namespaces and schemas with the IANA XML Namespace ("ns", 7625 http://www.iana.org/assignments/xml-registry/xml-registry.xhtml#ns) 7626 and Schema registries ("schema", http://www.iana.org/assignments/xml- 7627 registry/xml-registry.xhtml#schema) described in [RFC3688]. In 7628 addition to any reviews required by IANA, changes to the XML Schema 7629 registry for schema names beginning with 7630 "urn:ietf:params:xml:schema:iodef" are subject to an additional IODEF 7631 Expert Review [RFC5226] to ensure compatibility with IODEF and other 7632 existing IODEF extensions. 7634 The IODEF expert(s) for these reviews will be designated by the IETF 7635 Security Area Directors. 7637 This document obsoletes [RFC6685]. 7639 11. Acknowledgments 7641 Thanks to Paul Stockler for his editorial leadership in the 7642 transition of RFC5070bis to this document. 7644 Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi 7645 Takahashi, David Waltermire and Sean Turner as the MILE working group 7646 chairs, secretary or area directors for providing feedback and 7647 coordination of this document. 7649 Thanks to the following individuals (listed alphabetically) who 7650 provided feedback during the meetings, on the mailing list or through 7651 implementation experience: Jerome Athias, David Black, Eric Burger, 7652 Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris 7653 Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam 7654 Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio 7655 Suzuki and Nik Teague. 7657 12. References 7659 12.1. Normative References 7661 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 7662 (XML) 1.0 (Fifth Edition)", W3C Recommendation , November 7663 2008, . 7665 [W3C.SCHEMA] 7666 World Wide Web Consortium, "XML XML Schema Part 1: 7667 Structures Second Edition", W3C Recommendation , October 7668 2004, . 7670 [W3C.SCHEMA.DTYPES] 7671 World Wide Web Consortium, "XML Schema Part 2: Datatypes 7672 Second Edition", W3C Recommendation , October 2004, 7673 . 7675 [W3C.XMLNS] 7676 World Wide Web Consortium, "Namespaces in XML 1.0 (Third 7677 Edition)", W3C Recommendation , December 2009, 7678 . 7680 [W3C.XPATH] 7681 World Wide Web Consortium, "XML Path Language (XPath) 7682 3.1", W3C Candidate Recommendation , December 2015, 7683 . 7685 [W3C.XMLSIG] 7686 World Wide Web Consortium, "XML Signature Syntax and 7687 Processing 2.0", W3C Recommendation , June 2008, 7688 . 7690 [IEEE.POSIX] 7691 Institute of Electrical and Electronics Engineers, 7692 "Information Technology - Portable Operating System 7693 Interface (POSIX) - Part 1: Base Definitions", 7694 IEEE 1003.1, June 2001. 7696 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7697 Requirement Levels", RFC 2119, March 1997. 7699 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of 7700 Languages", RFC 5646, September 2009. 7702 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7703 Resource Identifiers (URI): Generic Syntax", RFC 3986, 7704 January 2005`. 7706 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 7707 June 2006. 7709 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 7710 2008. 7712 [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized 7713 Email", RFC 6531, February 2012. 7715 [RFC7495] Montville, A. and D. Black, "IODEF Enumeration Reference 7716 Format", RFC 7495, January 2015. 7718 [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An 7719 Incident Object Description Exchange Format (IODEF) 7720 Extension for Structured Cybersecurity Information", 7721 RFC 7203, April 2014. 7723 [ISO4217] International Organization for Standardization, 7724 "International Standard: Codes for the representation of 7725 currencies and funds, ISO 4217:2001", ISO 4217:2001, 7726 August 2001. 7728 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 7729 2004. 7731 [IANA.Ports] 7732 Internet Assigned Numbers Authority, "Service Name and 7733 Transport Protocol Port Number Registry", January 2014, 7734 . 7737 [IANA.Protocols] 7738 Internet Assigned Numbers Authority, "Assigned Internet 7739 Protocol Numbers", January 2014, 7740 . 7743 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 7744 10646", RFC 3629, November 2003. 7746 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 7747 10646", RFC 2781, February 2000. 7749 [IANA.Media] 7750 Internet Assigned Numbers Authority, "Media Types", March 7751 2015, . 7754 [NIST.CPE] 7755 The National Institute of Standards and Technology, 7756 "Common Platform Enumeration", 2014, 7757 . 7759 [ISO19770] 7760 International Organization for Standardization, 7761 "Information technology -- Software asset management -- 7762 Part 2: Software identification tag, ISO/IEC 7763 19770-2:2015", ISO 19770-2:2015, October 2015. 7765 [E.164] ITU Telecommunication Standardization Sector, "The 7766 International Public Telecommunication Numbering Plan", 7767 ITU-T Recommendation E.164 (02/05), February 2005. 7769 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 7770 Address Text Representation", RFC 5952, August 2010. 7772 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 7773 Architecture", RFC 4291, February 2006. 7775 12.2. Informative References 7777 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident 7778 Object Description Exchange Format", RFC 5070, December 7779 2007. 7781 [RFC6685] Trammell, B., "Expert Review for Incident Object 7782 Description Exchange Format (IODEF) Extensions in IANA XML 7783 Registry", RFC 6685, July 2012. 7785 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", 7786 RFC 6545, April 2012. 7788 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 7789 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 7790 2012. 7792 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 7793 Class for Reporting Phishing", RFC 5901, July 2010. 7795 [NIST800.61rev2] 7796 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 7797 "NIST Special Publication 800-61 Revision 2: Computer 7798 Security Incident Handling Guide", January 2012, 7799 . 7802 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 7803 Type for the Internet Registry Information Service 7804 (IRIS)", RFC 3982, January 2005. 7806 [KB310516] 7807 Microsoft Corporation, "How to add, modify, or delete 7808 registry subkeys and values by using a registration 7809 entries (.reg) file", December 2007. 7811 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 7812 Separated Values (CSV) File", RFC 4180, October 2005. 7814 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 7815 IANA Considerations Section in RFCs", RFC 5226, May 2008. 7817 [W3C.XMLENC] 7818 World Wide Web Consortium, "XML Encryption Syntax and 7819 Processing Version 1.1", W3C Recommendation , April 2013, 7820 . 7822 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 7824 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 7825 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 7827 Author's Address 7829 Roman Danyliw 7830 CERT - Carnegie Mellon University 7831 4500 Fifth Avenue 7832 Pittsburgh, PA 7833 USA 7835 EMail: rdd@cert.org