Extended Incident Handling BOF (inch) Monday, December 10 at 1300-1500 ================================= CHAIRS: Yuri Demchenko Roman Danyliw Mailing list info: Incident Object Description and Exchange Format: iodef@terena.nl To subscribe send this message to majordomo@terena.nl: subscribe iodef your_real_name Mailing List Archive: http://hypermail.terena.nl/iodef-list/mail-archive/ Agenda: 1. Agenda bashing and introductions (5 min) 2. Problem statement and the scope of work - RD (10 min) 3. Requirements for such a standard (including analysis of the current IODEF requirements) - RD, JM 3.1. Representation issues (i.e. what data needs to be in the standard)- RD (10 min) 3.2. How a standard would affect the CSIRT workflow - JM (15 min) 4. Current IODEF development 4.1. Work of IODEF WG - JM (10 min) 4.2. IODEF Design principles (including relation to IDMEF) - YD (15 min) 4.3. Presentation of current IODEF Data Model and XML DTD document - RD (15 min) 5. Discussion: How to proceed and proposed Charter (30 min) 6. Conclusions (next steps, interest level, etc.) (15 min) RD - Roman Danyliw YD - Yuri Demchenko JM - Jan Meijer BOF Description --------------- Problem statement Just as the Internet on which they occur, computer security incidents are distributed and potentially involve multiple Computer Security Incident Response Teams (CSIRTs) across national borders, languages and cultures. The exchange of incident information and statistics among CSIRTS is important for both reactionary analysis of current intruder activity and proactive identification of trends that can lead to incident prevention. There is also practical need to integrated relevant computer security information (e.g., vulnerability and virus databases) into Incident Handling Systems used by CSIRTs. Background Understanding the advantages of collaboration, there were several attempts to establish information exchange between CSIRTs in Europe and among the FIRST community. >From these collaborative efforts, it was noted that the key element for information exchange is a standard format for describing an Incident (Object). There is ongoing work on development of the Incident Object Description and Exchange Format (IODEF) in the frame of IODEF WG at TERENA (http://www.terena.nl/task-forces/tf-csirt/iodef/). The purpose of the IODEF is to define a common data format for the description, archiving and exchange of information about incidents between CSIRTs (including alert, incident in investigation, archiving, statistics, reporting, etc.). Recently published RFC 3067 on the IODEF requirements describes the high-level requirements (and the rational behind them) for such a description and exchange format. The issue targeted by developing IODEF is the need to have a higher level Incident description and exchange format than will be provided the Intrusion Detection WG's (IDWG) proposed Intrusion Detection Message Exchange Format (IDMEF). The IODEF and IDMEF are not competing standards, but rather compliments to each other. Compatibility with IDMEF and other related standards is an obligatory requirement to IODEF. IODEF should vertically be compatible with IDMEF. For example, IODEF should be able to include or reference IDMEF Alert message as initial information about Incident. In September 2001, a pilot project has started at two European CSIRTs who will develop modules to use IODEF to exchange incident information between their existing Incident Handling systems. This project will provide real-world input to finalize the structure and details of the current draft incident data model. Standardizing the representation of a security incident has been discussed at numerous TF-CSIRT seminars and FIRST conferences (two IODEF BoF had been held at FIRST12-2000 and FIRST13-2001), which demonstrated wide interest from both the CSIRT community and commercial security companies. BOF purpose The purpose of this BoF is to discuss the completeness and future direction of the IODEF as a standard format for a computer security incident. The data model is currently being validated against real-world incidents. Therefore, feedback on its ability to describe the various facets of CSIRT-to-CSIRT communication is desired. There is every intention to extend the work of the IETF IDWG in representing incidents as higher-level elements of Network Security. This issue was discussed at the last IDWG meeting at IETF50 and found broad support from the group. Additional information Incident Taxonomy and Description Working Group at TERENA http://www.terena.nl/task-forces/tf-csirt/iodef/ RFC 3067 TERENA's Incident Object Description and Exchange Format Requirements http://www.ietf.org/rfc/rfc3067.txt Best Current Practice on Incident classification and reporting schemes. Version 1.0 > http://www.terena.nl/task-forces/tf-csirt/iodef/docs/BCPreport1.rtf Incident Object Description and Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition (Pre-draft Version 0.03) - 1 December 2001 > http://www.terena.nl/task-forces/tf-csirt/iodef/docs/draft-terena-iodef-xml-003.txt Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis http://www.ietf.org/proceedings/01mar/slides/idwg-5/index.html