IODEF-extension to support structured cybersecurity information
National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi Koganei184-8795 TokyoJapan+80 423 27 5862takeshi_takahashi@nict.go.jp
McAfee, Inc
5000 Headquarters DrivePlano, TX 75024USAKent_Landfield@McAfee.com
US Department of Homeland Security, NPPD/CS&C/NCSD/US-CERT
245 Murray Lane SW, Building 410, MS #732Washington, DC 20598USA+1 888 282 0870thomas.millar@us-cert.gov
Nara Institute of Science and Technology
8916-5 Takayama, Ikoma630-0192 NaraJapanyouki-k@is.aist-nara.ac.jp
Security
MILE Working GroupThis document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070 to facilitate enriched cybersecurity information exchange among cybersecurity entities by embedding structured information formatted by specifications, including CAPEC™, CEE™, CPE™, CVE®, CVRF, CVSS, CWE™, CWSS™, OCIL, OVAL®, and XCCDF.
Cyber attacks are getting more sophisticated, and their numbers are increasing day by day.
To cope with such situation, incident information needs to be reported, exchanged, and shared among organizations.
IODEF is one of the tools enabling such exchange, and is already in use.
To efficiently run cybersecurity operations, these exchanged information needs to be machine-readable.
IODEF provides a structured means to describe the information, but it needs to embed various non-structured such information in order to convey detailed information.
Further structure within IODEF increases IODEF documents' machine-readability and thus facilitates streamlining cybersecurity operations.
On the other hand, there exist various other activities facilitating detailed and structured description of cybersecurity information, major of which includes CAPEC, CEE, CPE, CVE, CVRF, CVSS, CWE, CWSS, OCIL, OVAL, and XCCDF.
Since such structured description facilitates cybersecurity operations, it would be beneficial to embed and convey these information inside IODEF document.
To enable that, this document extends the IODEF to embed and convey various structured cybersecurity information, with which cybersecurity operations can be facilitated.
Since IODEF defines a flexible and extensible format and supports a granular level of specificity, this document defines an extension to IODEF instead of defining a new report format.
For clarity, and to eliminate duplication, only the additional structures necessary for describing the exchange of such structured information are provided.
The terminology used in this document follows the one defined in RFC 5070. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.To maintain cybersecurity, organization needs to exchange cybersecurity information, which includes the following information: attack pattern, platform information, vulnerability and weakness, countermeasure instruction, computer event log, and the severity.IODEF provides a scheme to exchange such information among interested parties. However, the detailed common format to describe such information is not defined in the IODEF base document.On the other hand, to describe those information and to facilitate exchange, a structured format for that is already available. Major of them are CAPEC, CEE, CPE, CVE, CVRF, CVSS, CWE, CWSS, OCIL, OVAL, and XCCDF.
By embedding them into the IODEF document, the document can convey more detailed contents to the receivers, and the document can be easily reused. Note that interactive communication is needed in some cases, and some of these structured information, e.g., OCIL information, solicits reply from recipients. These reply could be also embedded inside the IODEF document.These structured cybersecurity information facilitates cybersecurity operation at the receiver side. Since the information is machine-readable, the data can be processed by computers. That expedites the automation of cybersecurity operationsFor instance, an organization wishing to report a security incident wants to describe what vulnerability was exploited. Then the sender can simply use IODEF, where an CAPEC record is embedded instead of describing everything in free format text. Receiver can also identify the needed details of the attack pattern by looking up some of the xml tags defined by CAPEC. Receiver can accumulate the attack pattern information (CAPEC record) in its database and could distribute it to the interested parties if needed, without needing human interventions.This draft extends IODEF to embed structured cybersecurity information by introducing new classes, with which these information can be embedded inside IODEF document as element contents of AdditionalData and RecordItem classes.
This extension embeds structured cybersecurity information from external specifications.
The initial list of supported specifications is listed below.
Each entry has namespace, specification name, version, specification URI and applicable classes for each specification.
Future assignments are to be managed by IANA using the Expert Review and Specification Required allocation policies as further specified in .This extension inherits all of the data types defined in the IODEF model. One data type is added: XMLDATA.An embedded XML data is represented by the XMLDATA data type.
This type is defined as the extension to the iodef:ExtensionType, whose dtype attribute is set to "xml."
The IODEF Incident element is summarized below. It is expressed in Unified Modeling Language (UML) syntax as used in the IODEF specification. The UML representation is for illustrative purposes only; elements are specified in XML as defined in Appendix A.This extension defines the following seven elements.An AttackPattern consists of an extension to the Incident.Method.AdditionalData element with a dtype of "xml". The extension describes attack patterns of incidents or events.It is recommended that Method class SHOULD contain one or more of the extension elements whenever available.An AttackPattern class is structured as follows.This class has the following attributes.REQUIRED. ENUM.
The identifier of the specification specifying the format of the RawData element.
The value should be chosen from the namespaces listed in .
Note that the lists in will be developed further by IANA.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
OPTIONAL. STRING.
An identifier of an attack pattern to be reported.
This attribute SHOULD be used whenever such identifier is available, but could be omitted if no such one is available. In this case, either RawData or Reference elements, or both of them, MUST be provided.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
The AttackPattern class is composed of the following aggregate classes.Zero or more. XMLDATA.
A complete document that is formatted according to the specification and its version identified by the value of the SpecificationID with the .Zero or more of iodef:Reference .
This element allows an IODEF document to include a link to a structured information instead of directly embedding it into a RawData element.Zero or more.
An identifier of software platform involved in the specific attack pattern, which is elaborated in .
Some of the structured information embedded in the RawData element may include the identifier within it.
In this case, this Platform element SHOULD NOT be used.
If a reader/receiver detects the identifiers in both RawData and Platform elements and their inconsistency, it SHOULD prefer the identifiers derived from the Platform element, and SHOULD log the inconsistency so a human can correct the problem.A Platform identifies a software platform. It is recommended that AttackPattern, Vulnerability, Weakness, and System classes contain this elements whenever available.A Platform element is structured as follows.This class has the following attributes.REQUIRED. ENUM.
The identifier of the specification specifying the format of the RawData element.
The value should be chosen from the namespaces listed in .
Note that the lists in will be developed further by IANA.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
OPTIONAL. STRING.
An identifier of a platform to be reported.
This attribute SHOULD be used whenever such identifier is available, but could be omitted if no such one is available.
In this case, either RawData or Reference elements, or both of them, MUST be provided.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
This class is composed of the following aggregate classes.Zero or more. XMLDATA.
A complete document that is formatted according to the specification and its version identified by the value of the SpecificationID with the .Zero or more of iodef:Reference .
This element allows an IODEF document to include a link to a structured information instead of directly embedding it into a RawData element.Writers/senders MUST ensure the specification name and version identified by the SpecificationID are consistent with the contents of the ID; if a reader/receiver detects an inconsistency, it SHOULD prefer the specification name and version derived from the content, and SHOULD log the inconsistency so a human can correct the problem.A Vulnerability consists of an extension to the Incident.Method.AdditionalData element with a dtype of "xml". The extension describes the (candidate) vulnerabilities of incidents or events.It is recommended that Method class SHOULD contain one or more of the extension elements whenever available.A Vulnerability element is structured as follows.This class has the following attributes.REQUIRED. ENUM.
The identifier of the specification specifying the format of the RawData element.
The value should be chosen from the namespaces listed in .
Note that the lists in will be developed further by IANA.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
OPTIONAL. STRING.
An identifier of a vulnerability to be reported.
This attribute SHOULD be used whenever such identifier is available, but could be omitted if no such one is available. In this case, either RawData or Reference elements, or both of them, MUST be provided.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
This class is composed of the following aggregate classes.Zero or one. XMLDATA.
A complete document that is formatted according to the specification and its version identified by the value of the SpecificationID with the .Zero or one of iodef:Reference.
This element allows an IODEF document to include a link to a structured information instead of directly embedding it into a RawData element.Zero or more.
An identifier of software platform affected by the vulnerability, which is elaborated in .
Some of the structured information embedded in the RawData element may include the identifier within it.
In this case, this element SHOULD NOT be used.
If a reader/receiver detects the identifiers in both RawData and Platform elements and their inconsistency, it SHOULD prefer the identifiers derived from the Platform element, and SHOULD log the inconsistency so a human can correct the problem.Zero or more.
An indicator of the severity of the vulnerability, such as CVSS and CCSS scores, which is elaborated in .
Some of the structured information may include scores within it.
In this case, the Scoring element SHOULD NOT be used since the RawData element contains the scores.
If a reader/receiver detects scores in both RawData and Scoring elements and their inconsistency, it SHOULD prefer the scores derived from the RawData element, and SHOULD log the inconsistency so a human can correct the problem.A Scoring class describes the scores of the severity in terms of security. It is recommended that Vulnerability and Weakness classes contain the elements whenever available.A Scoring class is structured as follows.This class has two attributes.REQUIRED. ENUM.
The identifier of the specification specifying the format of the RawData element.
The value should be chosen from the namespaces listed in .
Note that the lists in will be developed further by IANA.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this namespace is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer the value of this attribute, and SHOULD log the inconsistency so a human can correct the problem.
This class is composed of an aggregate class.One. XMLDATA.
A complete document that is formatted according to the specification and its version identified by the value of the SpecificationID with the .
This element includes a set of score information.
Writers/senders MUST ensure the specification name and version identified by the SpecificationID are consistent with the contents of the Score; if a reader/receiver detects an inconsistency, it SHOULD prefer the specification name and version derived from the content, and SHOULD log the inconsistency so a human can correct the problem.A Weakness consists of an extension to the Incident.Method.AdditionalData element with a dtype of "xml". The extension describes the weakness types of incidents or events.It is recommended that Method class SHOULD contain one or more of the extension elements whenever available.A Weakness element is structured as follows. This class has the following attributes.REQUIRED. ENUM.
The identifier of the specification specifying the format of the RawData element.
The value should be chosen from the namespaces listed in .
Note that the lists in will be developed further by IANA.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
OPTIONAL. STRING.
An identifier of a weakness to be reported.
This attribute SHOULD be used whenever such identifier is available, but could be omitted if no such one is available. In this case, either RawData or Reference elements, or both of them, MUST be provided.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
This class is composed of the following aggregate classes.Zero or more. XMLDATA.
A complete document that is formatted according to the specification and its version identified by the value of the SpecificationID with the .Zero or one of iodef:Reference.
This element allows an IODEF document to include a link to a structured information instead of directly embedding it into a RawData element.Zero or more.
An identifier of software platform affected by the weakness, which is elaborated in .
Some of the structured information embedded in the RawData element may include the identifier within it.
In this case, this element SHOULD NOT be used.
If a reader/receiver detects the identifiers in both RawData and Platform elements and their inconsistency, it SHOULD prefer the identifiers derived from the Platform element, and SHOULD log the inconsistency so a human can correct the problem.Zero or more.
An indicator of the severity of the weakness, such as CWSS score, which is elaborated in . Some of the structured information may include scores within it. In this case, the Scoring element SHOULD NOT be used since the RawData element contains the scores. If a reader/receiver detects scores in both RawData and Scoring elements and their inconsistency, it SHOULD prefer the scores derived from the RawData element, and SHOULD log the inconsistency so a human can correct the problem.An EventReport consists of an extension to the Incident.EventData.Record.RecordData.RecordItem element with a dtype of "xml". The extension embeds structured event reports.It is recommended that RecordItem class SHOULD contain one or more of the extension elements whenever available.An EventReport element is structured as follows. This class has the following attributes.REQUIRED. ENUM.
The identifier of the specification specifying the format of the RawData element.
The value should be chosen from the namespaces listed in .
Note that the lists in will be developed further by IANA.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
OPTIONAL. STRING.
An identifier of an event to be reported.
This attribute SHOULD be used whenever such identifier is available, but could be omitted if no such one is available. In this case, either RawData or Reference elements, or both of them, MUST be provided.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
This class is composed of three aggregate classes.Zero or one. XMLDATA.
A complete document that is formatted according to the specification and its version identified by the value of the SpecificationID with the .Zero or one of iodef:Reference.
This element allows an IODEF document to include a link to a structured information instead of directly embedding it into a RawData element.This class MUST contain at least one of RawData or Reference elements.
Writers/senders MUST ensure the specification name and version identified by the SpecificationID are consistent with the contents of the RawData; if a reader/receiver detects an inconsistency, it SHOULD prefer the specification name and version derived from the content, and SHOULD log the inconsistency so a human can correct the problem.A Verification consists of an extension to the Incident.AdditionalData element with a dtype of "xml".
The extension elements describes incident on vefifying incidents.
A Verification class is structured as follows. This class has the following attributes.REQUIRED. ENUM.
The identifier of the specification specifying the format of the RawData element.
The value should be chosen from the namespaces listed in .
Note that the lists in will be developed further by IANA.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
OPTIONAL. STRING.
An identifier of an check item to be reported.
This attribute SHOULD be used whenever such identifier is available, but could be omitted if no such one is available. In this case, either RawData or Reference elements, or both of them, MUST be provided.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
This class is composed of two aggregate classes.Zero or one. XMLDATA.
A complete document that is formatted according to the specification and its version identified by the value of the SpecificationID with the .Zero or one of iodef:Reference.
This element allows an IODEF document to include a link to a structured information instead of directly embedding it into a RawData element.This class MUST contain at least either of RawData and Reference elements.
Writers/senders MUST ensure the specification name and version identified by the SpecificationID are consistent with the contents of the RawData; if a reader/receiver detects an inconsistency, it SHOULD prefer the specification name and version derived from the content, and SHOULD log the inconsistency so a human can correct the problem.A Remediation consists of an extension to the Incident.AdditionalData element with a dtype of "xml".
The extension elements describes incident remediation information including instructions.
It is recommended that Incident class SHOULD contain one or more of this extension elements whenever available.A Remediation class is structured as follows. This class has the following attributes.REQUIRED. ENUM.
The identifier of the specification specifying the format of the RawData element.
The value should be chosen from the namespaces listed in .
Note that the lists in will be developed further by IANA.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
OPTIONAL. STRING.
An identifier of a remediation information to be reported.
This attribute SHOULD be used whenever such identifier is available, but could be omitted if no such one is available. In this case, either RawData or Reference elements, or both of them, MUST be provided.
In case a RawData or Reference element is provided along with this attribute, writers/senders MUST ensure that this value is consistent with the one provided by the element; if a reader/receiver detects an inconsistency, it SHOULD prefer this attribute's value, and SHOULD log the inconsistency so a human can correct the problem.
This class is composed of two aggregate classes.Zero or one. XMLDATA.
A complete document that is formatted according to the specification and its version identified by the value of the SpecificationID with the .Zero or one of iodef:Reference.
This element allows an IODEF document to include a link to a structured information instead of directly embedding it into a RawData element.This class MUST contain at least either of RawData and Reference elements.
Writers/senders MUST ensure the specification name and version identified by the SpecificationID are consistent with the contents of the RawData; if a reader/receiver detects an inconsistency, it SHOULD prefer the specification name and version derived from the content, and SHOULD log the inconsistency so a human can correct the problem.This document specifies a format for encoding a particular class of
security incidents appropriate for exchange across organizations. As
merely a data representation, it does not directly introduce security
issues. However, it is guaranteed that parties exchanging instances
of this specification will have certain concerns. For this reason,
the underlying message format and transport protocol used MUST ensure
the appropriate degree of confidentiality, integrity, and
authenticity for the specific environment.Organizations that exchange data using this document are URGED to
develop operating procedures that document the following areas of
concern.The underlying messaging format and protocol used to exchange
instances of the IODEF MUST provide appropriate guarantees of
confidentiality, integrity, and authenticity. The use of a
standardized security protocol is encouraged. The Real-time Inter-
network Defense (RID) protocol and its associated transport
binding provide such security.The critical security concerns are that these structured information may
be falsified or they may become corrupt during transit.
In areas where transmission security or secrecy is questionable, the
application of a digital signature and/or message encryption on each
report will counteract both of these concerns. We expect that each
exchanging organization will determine the need, and mechanism, for
transport protection. This document uses URNs to describe XML namespaces and XML schemata
conforming to a registry mechanism described in .Registration request for the IODEF structured cybersecurity information extension namespace:URI: urn:ietf:params:xml:ns:iodef-sci-1.0 Registrant Contact: Refer here to the authors' addresses section of the document.XML: None Registration request for the IODEF structured cybersecurity information extension XML schema:URI: urn:ietf:params:xml:schema:iodef-sci-1.0 Registrant Contact: Refer here to the authors' addresses section of the document.XML: Refer here to the XML Schema in the appendix of the document.This memo creates the following registry for IANA to manage:Name of the registry: "IODEF Structured Cyber Security Information Specifications"Namespace details: A registry entry for a Structured Cyber Security Information Specification (SCI specification) consists of:
Namespace: A URI that is the XML namespace name used by the registered SCI specification.Specification Name: A string containing the spelled-out name of the SCI specification in human-readable form.Specification URI: A list of one or more of the URIs from which the registered specification can be obtained. The registered specification MUST be readily and publicly available from that URI.Applicable Classes: A list of one or more of the Extended Classes specified in of this document. The registered SCI specification MUST only be used with the Extended Classes in the registry entry.Information that must be provided to assign a new value: The above list of information.Fields to record in the registry: Namespace/Specification Name/Version/Applicable Classes.Initial registry contents: See sections from through above.Allocation Policy: Expert Review and Specification Required.The Designated Expert is expected to consult with the mile (Managed Incident Lightweight Exchange) working group or its successor if any such WG exists (e.g., via email to the working group's mailing list). The Designated Expert is expected to retrieve the SCI specification from the provided URI in order to check the public availability of the specification and verify the correctness of the URI. An important responsibility of the Designated Expert is to ensure that the registered Applicable Classes are appropriate for the registered SCI specification.We would like to acknowledge Mr. David Black from EMC, who kindly provided generous support, especially on the IANA registry issues. We also would like to thank Paul Cichonski from NIST, Robert Martin from MITRE, Kathleen Moriarty from EMC, Lagadec Philippe from NATO, Shuhei Yamaguchi from NICT, Anthony Rutkowski from Yaana Technology, and Brian Trammel from CERT/NetSA for their sincere discussion and feedback on this document.The XML Schema describing the elements defined in the Extension Definition section is given here. Each of the examples in should be verified to validate against this schema by automated tools.This section provides an example of an incident encoded in the IODEF.
This do not necessarily represent the only way to encode a
particular incident. Below is an example of a CSIRT reporting an attack.Extensible Markup Language (XML) 1.0 (Fifth Edition)XML Schema Part 1: Structures Second EditionXML Schema Part 2: Datatypes Second Edition"Namespaces in XML (Third Edition)Common Attack Pattern Enumeration and Classification (CAPEC)The MITRE CorporationCommon Configuration Enumeration (CCE)The MITRE CorporationThe Common Configuration Scoring System (CCSS)Common Event Expression (CEE)The MITRE CorporationCommon Platform EnumerationNational Institute of Standards and TechnologyCommon Vulnerability and Exposures (CVE)The MITRE CorporationCommon Vulnerability Reporting Framework (CVRF)ICASIThe Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency SystemsPeter Mell, Karen Scarfone, and Sasha RomanoskyCommon Weakness Enumeration (CWE)The MITRE CorporationCommon Weakness Scoring System (CWSS)The MITRE CorporationThe Open Checklist Interactive Language (OCIL) Version 2.0David Waltermire and Karen Scarfone and Maria CasipeOpen Vulnerability and Assessment Language (OVAL)The MITRE CorporationSpecification for the Extensible Configuration Checklist Description Format (XCCDF) version 1.2 (DRAFT)David Waltermire and Charles Schmidt and Karen Scarfone and Neal ZiringThe Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2