diff options
Diffstat (limited to 'doc/rfc/rfc7203.txt')
-rw-r--r-- | doc/rfc/rfc7203.txt | 1571 |
1 files changed, 1571 insertions, 0 deletions
diff --git a/doc/rfc/rfc7203.txt b/doc/rfc/rfc7203.txt new file mode 100644 index 0000000..f315c9b --- /dev/null +++ b/doc/rfc/rfc7203.txt @@ -0,0 +1,1571 @@ + + + + + + +Internet Engineering Task Force (IETF) T. Takahashi +Request for Comments: 7203 NICT +Category: Standards Track K. Landfield +ISSN: 2070-1721 McAfee + Y. Kadobayashi + NAIST + April 2014 + + + An Incident Object Description Exchange Format (IODEF) Extension + for Structured Cybersecurity Information + +Abstract + + This document extends the Incident Object Description Exchange Format + (IODEF) defined in RFC 5070 to exchange enriched cybersecurity + information among security experts at organizations and facilitate + their operations. It provides a well-defined pattern to consistently + embed structured information, such as identifier- and XML-based + information. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7203. + + + + + + + + + + + + + + + + + +Takahashi, et al. Standards Track [Page 1] + +RFC 7203 IODEF-SCI April 2014 + + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction ....................................................3 + 2. Terminology .....................................................3 + 3. Applicability ...................................................4 + 4. Extension Definition ............................................5 + 4.1. IANA Table for Structured Cybersecurity Information ........5 + 4.2. Extended Data Type: XMLDATA ................................6 + 4.3. Extending IODEF ............................................6 + 4.4. Basic Structure of the Extension Classes ...................8 + 4.5. Defining Extension Classes .................................9 + 4.5.1. AttackPattern .......................................9 + 4.5.2. Platform ...........................................10 + 4.5.3. Vulnerability ......................................11 + 4.5.4. Scoring ............................................11 + 4.5.5. Weakness ...........................................12 + 4.5.6. EventReport ........................................13 + 4.5.7. Verification .......................................14 + 4.5.8. Remediation ........................................15 + 5. Mandatory-to-Implement Features ................................15 + 5.1. An Example XML Document ...................................16 + 5.2. An XML Schema for the Extension ...........................18 + 6. Security Considerations ........................................20 + 6.1. Transport-Specific Concerns ...............................20 + 6.2. Protection of Sensitive and Private Information ...........21 + 6.3. Application and Server Security ...........................22 + 7. IANA Considerations ............................................22 + 8. Acknowledgments ................................................24 + 9. References .....................................................24 + 9.1. Normative References ......................................24 + 9.2. Informative References ....................................26 + + + + + +Takahashi, et al. Standards Track [Page 2] + +RFC 7203 IODEF-SCI April 2014 + + +1. Introduction + + The number of incidents in cyber society is growing day by day. + Incident information needs to be reported, exchanged, and shared + among organizations in order to cope with the situation. IODEF is + one of the tools already in use that enables such an exchange. + + To more efficiently run security operations, information exchanged + between organizations needs to be machine readable. IODEF provides a + means to describe the incident information, but it often needs to + include various non-structured types of incident-related data in + order to convey more specific details about what is occurring. + Further structure within IODEF increases the machine-readability of + the document, thus providing a means for better automating certain + security operations. + + Within the security community there exist various means for + specifying structured descriptions of cybersecurity information, such + as [CAPEC], [CCE], [CCSS], [CEE], [CPE], [CVE], [CVRF], [CVSS], + [CWE], [CWSS], [MAEC], [OCIL], [OVAL], [SCAP], and [XCCDF]. In this + context, cybersecurity information encompasses a broad range of + structured data representation types that may be used to assess or + report on the security posture of an asset or set of assets. Such + structured descriptions facilitate a better understanding of an + incident while enabling more streamlined automated security + operations. Because of this, it would be beneficial to embed and + convey these types of information inside IODEF documents. + + This document extends IODEF to embed and convey various types of + structured information. Since IODEF defines a flexible and + extensible format and supports a granular level of specificity, this + document defines an extension to IODEF instead of defining a new + report format. For clarity, and to eliminate duplication, only the + additional structures necessary for describing the exchange of such + structured information are provided. + +2. Terminology + + The terminology used in this document follows the terminology defined + in RFC 5070 [RFC5070]. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + + + + + + + +Takahashi, et al. Standards Track [Page 3] + +RFC 7203 IODEF-SCI April 2014 + + +3. Applicability + + To maintain awareness of the continually changing security threat + landscape, organizations need to exchange cybersecurity information, + which includes the following information: attack pattern, platform + information, vulnerability and weakness, countermeasure instruction, + computer event logs, and severity assessments. IODEF provides a + scheme to describe and exchange such information among interested + parties. However, it does not define the detailed formats to specify + such information. + + There already exist structured and detailed formats for describing + these types of information that can be used in facilitating such an + exchange. They include [CAPEC], [CCE], [CCSS], [CEE], [CPE], [CVE], + [CVRF], [CVSS], [CWE], [CWSS], [MAEC], [OCIL], [OVAL], [SCAP], and + [XCCDF]. By embedding them into the IODEF document, the document can + convey more detailed context information to the receivers, and the + document can be easily reused. + + The use of formats for structured information facilitates more + advanced security operations on the receiver side. Since the + information is machine readable, the data can be processed by + computers, thus allowing better automation of security operations. + + For instance, an organization wishing to report a security incident + wants to describe what vulnerability was exploited. In this case, + the sender can simply use IODEF, where an XML-based [XML1.0] attack + pattern record that follows the syntax and vocabulary defined by an + industry specification is embedded, instead of describing everything + in free-form text. The receiver can identify the needed details of + the attack pattern by looking up some of the XML tags defined by the + specification. The receiver can accumulate the attack pattern record + in its database and could distribute it to the interested parties as + needed, all without requiring human intervention. + + In another example, an administrator is investigating an incident and + has detected a configuration problem that he wishes to share with a + partner organization to prevent the same event from occurring at the + partner organization. To confirm that the configuration was in fact + vulnerable, he uses an internal repository to access configuration + information that was gathered prior to the initial attack and that is + specific to a new vulnerability alert. He uses this information to + automatically generate an XML-based software configuration + description, embed it in an IODEF document, and send the resulting + IODEF document to the partner organization. + + + + + + +Takahashi, et al. Standards Track [Page 4] + +RFC 7203 IODEF-SCI April 2014 + + +4. Extension Definition + + This document extends IODEF to embed structured information by + introducing new classes that can be embedded consistently inside an + IODEF document as element contents of the AdditionalData and + RecordItem classes [RFC5070]. + +4.1. IANA Table for Structured Cybersecurity Information + + This extension embeds structured cybersecurity information (SCI) + defined by other specifications. The list of supported + specifications is managed by IANA, and this document defines the + needed fields for the list's entry. + + Each entry for each specification has the namespace [XMLNames], + specification name, version, reference URI, and applicable classes. + Arbitrary URIs that may help readers understand the specification + could be embedded inside the Reference URI field, but it is + recommended that a standard/informational URI describing the + specification be prepared and embedded here. + + The initial IANA table has only one entry, as follows: + + Namespace: urn:ietf:params:xml:ns:mile:mmdef:1.2 + Specification Name: Malware Metadata Exchange Format + Version: 1.2 + Reference URI: <http://standards.ieee.org/develop + /indconn/icsg/mmdef.html>, + <http://grouper.ieee.org/groups + /malware/malwg/Schema1.2/> + Applicable Classes: AttackPattern + + Note that the specification was developed by The Institute of + Electrical and Electronics Engineers, Incorporated (IEEE), through + the Industry Connections Security Group (ICSG) of its Standards + Association. + + The table is managed by IANA, following the allocation policy + specified in Section 7. + + The SpecID attributes of extension classes (Section 4.5) must allow + the values of the specifications' namespace fields, but + implementations are otherwise not required to support all + specifications of the IANA table and may choose which specifications + to support. However, at a minimum, the specification listed in the + initial IANA table needs to be supported, as described in Section 5. + If an implementation received data that it does not support, it may + expand its functionality by looking up the IANA table or notify the + + + +Takahashi, et al. Standards Track [Page 5] + +RFC 7203 IODEF-SCI April 2014 + + + sender of its inability to parse the data. Note that the lookup + could be done manually or automatically, but automatic download of + data from IANA's website is not recommended, since it is not designed + for mass retrieval of data by multiple devices. + +4.2. Extended Data Type: XMLDATA + + This extension inherits all of the data types defined in the IODEF + data model. One data type is added: XMLDATA. Embedded XML data is + represented by the XMLDATA data type. This type is defined as the + extension to the iodef:ExtensionType [RFC5070], whose dtype attribute + is set to "xml". + +4.3. Extending IODEF + + This document defines eight extension classes, namely AttackPattern, + Platform, Vulnerability, Scoring, Weakness, EventReport, + Verification, and Remediation. Figure 1 describes the relationships + between the IODEF Incident class [RFC5070] and the newly defined + classes. It is expressed in Unified Modeling Language (UML) syntax + per RFC 5070 [RFC5070]. The UML representation is for illustrative + purposes only; elements are specified in XML as defined in + Section 5.2. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Takahashi, et al. Standards Track [Page 6] + +RFC 7203 IODEF-SCI April 2014 + + ++---------------+ +| Incident | ++---------------+ +| ENUM purpose |<>---------[IncidentID] +| STRING |<>--{0..1}-[AlternativeID] +| ext-purpose |<>--{0..1}-[RelatedActivity] +| ENUM lang |<>--{0..1}-[DetectTime] +| ENUM |<>--{0..1}-[StartTime] +| restriction |<>--{0..1}-[EndTime] +| |<>---------[ReportTime] +| |<>--{0..*}-[Description] +| |<>--{1..*}-[Assessment] +| |<>--{0..*}-[Method] +| | |<>--{0..*}-[AdditionalData] +| | |<>--{0..*}-[AttackPattern] +| | |<>--{0..*}-[Vulnerability] +| | |<>--{0..*}-[Weakness] +| |<>--{1..*}-[Contact] +| |<>--{0..*}-[EventData] +| | |<>--{0..*}-[Flow] +| | | |<>--{1..*}-[System] +| | | |<>--{0..*}-[AdditionalData] +| | | |<>--{0..*}-[Platform] +| | |<>--{0..*}-[Expectation] +| | |<>--{0..1}-[Record] +| | |<>--{1..*}-[RecordData] +| | |<>--{1..*}-[RecordItem] +| | |<>--{0..*}-[EventReport] +| |<>--{0..1}-[History] +| |<>--{0..*}-[AdditionalData] +| | |<>--{0..*}-[Verification] +| | |<>--{0..*}-[Remediation] ++---------------+ + + Figure 1: Incident Class + + + + + + + + + + + + + + + + +Takahashi, et al. Standards Track [Page 7] + +RFC 7203 IODEF-SCI April 2014 + + +4.4. Basic Structure of the Extension Classes + + Figure 2 shows the basic structure of the extension classes. Some of + the extension classes have extra elements as defined in Section 4.5, + but the basic structure is the same. + + +---------------------+ + | New Class Name | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | STRING ContentID | + +---------------------+ + + Figure 2: Basic Structure + + Three attributes are defined as indicated below: + + SpecID: REQUIRED. ENUM. A specification's identifier that + specifies the format of structured information. The value should + be chosen from the namespaces [XMLNames] listed in the IANA table + (Section 4.1) or "private". The value "private" is prepared for + conveying structured information based on a format that is not + listed in the table. This is usually used for conveying data + formatted according to an organization's private schema. When the + value "private" is used, ext-SpecID element MUST be used. + + ext-SpecID: OPTIONAL. STRING. A specification's identifier that + specifies the format of structured information. This is usually + used to support a private schema that is not listed in the IANA + table (Section 4.1). This attribute MUST be used only when the + value of the SpecID element is "private." + + ContentID: OPTIONAL. STRING. An identifier of structured + information. Depending on the extension classes, the content of + the structured information differs. This attribute enables IODEF + documents to convey the identifier of the structured information + instead of conveying the information itself. + + Likewise, two elements are defined as indicated below: + + RawData: Zero or more. XMLDATA. An XML document of structured + information. This is a complete document that is formatted + according to the specification and its version identified by the + SpecID/ext-SpecID. When this element is used, writers/senders + MUST ensure that the namespace specified by SpecID/ext-SpecID and + + + + + +Takahashi, et al. Standards Track [Page 8] + +RFC 7203 IODEF-SCI April 2014 + + + the schema of the XML are consistent; if not, the namespace + identified by SpecID SHOULD be preferred, and the inconsistency + SHOULD be logged so a human can correct the problem. + + Reference: Zero or more of iodef:Reference [RFC5070]. A reference + to structured information. This element allows an IODEF document + to include a link to structured information instead of directly + embedding it into a RawData element. + + Though ContentID is an optional attribute, and RawData and Reference + are optional elements, one of them MUST be used to convey structured + information. Note that, in order to avoid confusing the receiver, + only one of them SHOULD be used. + +4.5. Defining Extension Classes + + This document defines eight extension classes, as described in the + subsections that follow. + +4.5.1. AttackPattern + + An AttackPattern is an extension class to the + Incident.Method.AdditionalData element with a dtype of "xml". It + describes attack patterns of incidents or events. It is RECOMMENDED + that the Method class [RFC5070] contain the extension elements + whenever available. An AttackPattern class is structured as follows: + + +---------------------+ + | AttackPattern | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | STRING ContentID |<>--(0..*)-[ Platform ] + +---------------------+ + + Figure 3: AttackPattern Class + + This class has the following attributes: + + SpecID: REQUIRED. ENUM. See Section 4.4. + + ext-SpecID: OPTIONAL. STRING. See Section 4.4. + + ContentID: OPTIONAL. STRING. An identifier of attack pattern + information. See Section 4.4. + + + + + + +Takahashi, et al. Standards Track [Page 9] + +RFC 7203 IODEF-SCI April 2014 + + + Likewise, this class has the following elements: + + RawData: Zero or more. XMLDATA. An XML document of attack pattern + information. See Section 4.4. + + Reference: Zero or more. A reference to attack pattern information. + See Section 4.4. + + Platform: Zero or more. An identifier of the software platform + involved in the specific attack pattern. See Section 4.5.2. + +4.5.2. Platform + + A Platform is an extension class that identifies a software platform. + It is RECOMMENDED that the AttackPattern, Vulnerability, Weakness, + and System [RFC5070] classes contain the extension elements whenever + available. A Platform element is structured as follows: + + +---------------------+ + | Platform | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | STRING ContentID | + +---------------------+ + + Figure 4: Platform Class + + This class has the following attributes: + + SpecID: REQUIRED. ENUM. See Section 4.4. + + ext-SpecID: OPTIONAL. STRING. See Section 4.4. + + ContentID: OPTIONAL. STRING. An identifier of platform + information. See Section 4.4. + + Likewise, this class has the following elements: + + RawData: Zero or more. XMLDATA. An XML document of platform + information. See Section 4.4. + + Reference: Zero or more. A reference to platform information. See + Section 4.4. + + + + + + + +Takahashi, et al. Standards Track [Page 10] + +RFC 7203 IODEF-SCI April 2014 + + +4.5.3. Vulnerability + + A Vulnerability is an extension class to the + Incident.Method.AdditionalData element with a dtype of "xml". The + extension describes the vulnerabilities that are exposed or were + exploited in incidents. It is RECOMMENDED that the Method class + contain the extension elements whenever available. A Vulnerability + element is structured as follows: + + +---------------------+ + | Vulnerability | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | STRING ContentID |<>--(0..*)-[ Platform ] + | |<>--(0..*)-[ Scoring ] + +---------------------+ + + Figure 5: Vulnerability Class + + This class has the following attributes: + + SpecID: REQUIRED. ENUM. See Section 4.4. + + ext-SpecID: OPTIONAL. STRING. See Section 4.4. + + ContentID: OPTIONAL. STRING. An identifier of vulnerability + information. See Section 4.4. + + Likewise, this class has the following elements: + + RawData: Zero or more. XMLDATA. An XML document of vulnerability + information. See Section 4.4. + + Reference: Zero or more. A reference to vulnerability information. + See Section 4.4. + + Platform: Zero or more. An identifier of the software platform + affected by the vulnerability. See Section 4.5.2. + + Scoring: Zero or more. An indicator of the severity of the + vulnerability. See Section 4.5.4. + +4.5.4. Scoring + + A Scoring is an extension class that describes the severity scores in + terms of security. It is RECOMMENDED that the Vulnerability and + Weakness classes contain the extension elements whenever available. + + + +Takahashi, et al. Standards Track [Page 11] + +RFC 7203 IODEF-SCI April 2014 + + + A Scoring class is structured as follows: + + +---------------------+ + | Scoring | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | STRING ContentID | + +---------------------+ + + Figure 6: Scoring Class + + This class has the following attributes: + + SpecID: REQUIRED. ENUM. See Section 4.4. + + ext-SpecID: OPTIONAL. STRING. See Section 4.4. + + ContentID: OPTIONAL. STRING. An identifier of a score set. See + Section 4.4. + + Likewise, this class has the following elements: + + RawData: Zero or more. XMLDATA. An XML document of a score set. + See Section 4.4. + + Reference: Zero or more. A reference to a score set. See + Section 4.4. + +4.5.5. Weakness + + A Weakness is an extension class to the + Incident.Method.AdditionalData element with a dtype of "xml". The + extension describes the weakness types that are exposed or were + exploited in incidents. It is RECOMMENDED that the Method class + contain the extension elements whenever available. A Weakness + element is structured as follows: + + +---------------------+ + | Weakness | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | STRING ContentID |<>--(0..*)-[ Platform ] + | |<>--(0..*)-[ Scoring ] + +---------------------+ + + Figure 7: Weakness Class + + + +Takahashi, et al. Standards Track [Page 12] + +RFC 7203 IODEF-SCI April 2014 + + + This class has the following attributes: + + SpecID: REQUIRED. ENUM. See Section 4.4. + + ext-SpecID: OPTIONAL. STRING. See Section 4.4. + + ContentID: OPTIONAL. STRING. An identifier of weakness + information. See Section 4.4. + + Likewise, this class has the following elements: + + RawData: Zero or more. XMLDATA. An XML document of weakness + information. See Section 4.4. + + Reference: Zero or more. A reference to weakness information. See + Section 4.4. + + Platform: Zero or more. An identifier of the software platform + affected by the weakness. See Section 4.5.2. + + Scoring: Zero or more. An indicator of the severity of the + weakness. See Section 4.5.4. + +4.5.6. EventReport + + An EventReport is an extension class to the + Incident.EventData.Record.RecordData.RecordItem element with a dtype + of "xml". The extension embeds structured event reports. It is + RECOMMENDED that the RecordItem class contain the extension elements + whenever available. An EventReport element is structured as follows: + + +---------------------+ + | EventReport | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | STRING ContentID | + +---------------------+ + + Figure 8: EventReport Class + + This class has the following attributes: + + SpecID: REQUIRED. ENUM. See Section 4.4. + + ext-SpecID: OPTIONAL. STRING. See Section 4.4. + + + + + +Takahashi, et al. Standards Track [Page 13] + +RFC 7203 IODEF-SCI April 2014 + + + ContentID: OPTIONAL. STRING. An identifier of an event report. + See Section 4.4. + + Likewise, this class has the following elements: + + RawData: Zero or more. XMLDATA. An XML document of an event + report. See Section 4.4. + + Reference: Zero or more. A reference to an event report. See + Section 4.4. + +4.5.7. Verification + + A Verification is an extension class to the Incident.AdditionalData + element with a dtype of "xml". The extension elements describe + information on verifying security, e.g., a checklist, to cope with + incidents. It is RECOMMENDED that the Incident class contain the + extension elements whenever available. A Verification class is + structured as follows: + + +---------------------+ + | Verification | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | STRING ContentID | + +---------------------+ + + Figure 9: Verification Class + + This class has the following attributes: + + SpecID: REQUIRED. ENUM. See Section 4.4. + + ext-SpecID: OPTIONAL. STRING. See Section 4.4. + + ContentID: OPTIONAL. STRING. An identifier of verification + information. See Section 4.4. + + Likewise, this class has the following elements: + + RawData: Zero or more. XMLDATA. An XML document of verification + information. See Section 4.4. + + Reference: Zero or more. A reference to verification information. + See Section 4.4. + + + + + +Takahashi, et al. Standards Track [Page 14] + +RFC 7203 IODEF-SCI April 2014 + + +4.5.8. Remediation + + A Remediation is an extension class to the Incident.AdditionalData + element with a dtype of "xml". The extension elements describe + incident remediation information, including instructions. It is + RECOMMENDED that the Incident class contain the extension elements + whenever available. A Remediation class is structured as follows: + + +---------------------+ + | Remediation | + +---------------------+ + | ENUM SpecID |<>--(0..*)-[ RawData ] + | STRING ext-SpecID |<>--(0..*)-[ Reference ] + | String ContentID | + +---------------------+ + + Figure 10: Remediation Class + + This class has the following attributes: + + SpecID: REQUIRED. ENUM. See Section 4.4. + + ext-SpecID: OPTIONAL. STRING. See Section 4.4. + + ContentID: OPTIONAL. STRING. An identifier of remediation + information. See Section 4.4. + + Likewise, this class has the following elements: + + RawData: Zero or more. XMLDATA. An XML document of remediation + information. See Section 4.4. + + Reference: Zero or more. A reference to remediation information. + See Section 4.4. + +5. Mandatory-to-Implement Features + + Implementations compliant with this document MUST be capable of + sending and receiving the extended IODEF documents that contain XML + documents conforming to the specification listed in the initial IANA + table described in Section 4.1 without error. The extended IODEF + document is an XML document that MUST be well-formed and MUST be + valid according to schemata, including extension schemata, available + to the validator and applicable to the XML document. Note that the + receiver can look up the namespace in the IANA table to understand + what specifications the embedded XML documents follow. + + + + + +Takahashi, et al. Standards Track [Page 15] + +RFC 7203 IODEF-SCI April 2014 + + + For the purpose of facilitating the understanding of mandatory-to- + implement features, the following subsections provide an XML document + conformant to this memo, and a corresponding schema. + +5.1. An Example XML Document + + An example IODEF document for checking an implementation's conformity + with mandatory-to-implement features is provided here. The document + carries Malware Metadata Exchange Format (MMDEF) metadata. Note that + the metadata is generated by genMMDEF [MMDEF] with EICAR [EICAR] + files. Due to the limit of 72 characters per line, some line breaks + were added in this example. + + <?xml version="1.0" encoding="UTF-8"?> + <IODEF-Document version="1.00" lang="en" + xmlns="urn:ietf:params:xml:ns:iodef-1.0" + xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" + xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <Incident purpose="reporting"> + <IncidentID name="sci.example.com">189493</IncidentID> + <ReportTime>2013-06-18T23:19:24+00:00</ReportTime> + <Description>a candidate security incident</Description> + <Assessment> + <Impact completion="failed" type="admin" /> + </Assessment> + <Method> + <Description>A candidate attack event</Description> + <AdditionalData dtype="xml"> + <sci:AttackPattern SpecID= + "urn:ietf:params:xml:ns:mile:mmdef:1.2"> + <sci:RawData dtype="xml"> + <malwareMetaData xmlns="http://xml/metadataSharing.xsd" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://xml/metadataSharing.xsd + file:metadataSharing.xsd" version="1.200000" id="10000"> + <company>N/A</company> + <author>MMDEF Generation Script</author> + <comment>Test MMDEF v1.2 file generated using genMMDEF + </comment> + <timestamp>2013-03-23T15:12:50.726000</timestamp> + <objects> + <file id="6ce6f415d8475545be5ba114f208b0ff"> + <md5>6ce6f415d8475545be5ba114f208b0ff</md5> + <sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</sha1> + <sha256>e3b0c44298fc1c149afbf4c8996fb92427ae41e464 + 9b934ca495991b7852b855</sha256> + + + + +Takahashi, et al. Standards Track [Page 16] + +RFC 7203 IODEF-SCI April 2014 + + + <sha512>cf83e1357eefb8bdf1542850d66d8007d620e4050b + 5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff83 + 18d2877eec2f63b931bd47417a81a538327af927 + da3e</sha512> + <size>184</size> + <filename>eicar_com.zip</filename> + <MIMEType>application/zip</MIMEType> + </file> + <file id="44d88612fea8a8f36de82e1278abb02f"> + <md5>44d88612fea8a8f36de82e1278abb02f</md5> + <sha1>3395856ce81f2b7382dee72602f798b642f14140</sha1> + <sha256>275a021bbfb6489e54d471899f7db9d1663fc695ec + 2fe2a2c4538aabf651fd0f</sha256> + <sha512>cc805d5fab1fd71a4ab352a9c533e65fb2d5b88551 + 8f4e565e68847223b8e6b85cb48f3afad842726d99 + 239c9e36505c64b0dc9a061d9e507d833277ada3 + 36ab</sha512> + <size>68</size> + <crc32>1750191932</crc32> + <filename>eicar.com</filename> + <filenameWithinInstaller>eicar.com + </filenameWithinInstaller> + </file> + </objects> + <relationships> + <relationship type="createdBy" id="1"> + <source> + <ref>file[@id="6ce6f415d8475545be5ba114f208b0ff"] + </ref> + </source> + <target> + <ref>file[@id="44d88612fea8a8f36de82e1278abb02f"] + </ref> + </target> + <timestamp>2013-03-23T15:12:50.744000</timestamp> + </relationship> + </relationships> + </malwareMetaData> + </sci:RawData> + </sci:AttackPattern> + </AdditionalData> + </Method> + <Contact role="creator" type="organization"> + <ContactName>sci.example.com</ContactName> + <RegistryHandle registry="arin">sci.example-com + </RegistryHandle> + <Email>contact@csirt.example.com</Email> + </Contact> + + + +Takahashi, et al. Standards Track [Page 17] + +RFC 7203 IODEF-SCI April 2014 + + + <EventData> + <Flow> + <System category="source"> + <Node> + <Address category="ipv4-addr">192.0.2.200</Address> + <Counter type="event">57</Counter> + </Node> + </System> + <System category="target"> + <Node> + <Address category="ipv4-net">192.0.2.16/28</Address> + </Node> + <Service ip_protocol="4"> + <Port>80</Port> + </Service> + </System> + </Flow> + <Expectation action="block-host" /> + <Expectation action="other" /> + </EventData> + </Incident> + </IODEF-Document> + +5.2. An XML Schema for the Extension + + An XML schema describing the elements defined in this document is + given here. + +<?xml version="1.0" encoding="UTF-8"?> + +<xsd:schema targetNamespace="urn:ietf:params:xml:ns:iodef-sci-1.0" + xmlns:xsd="http://www.w3.org/2001/XMLSchema" + xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" + xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0" + elementFormDefault="qualified" attributeFormDefault="unqualified"> + +<xsd:import namespace="urn:ietf:params:xml:ns:iodef-1.0" schemaLocation= + "http://www.iana.org/assignments/xml-registry/schema/iodef-1.0.xsd"/> + +<xsd:complexType name="XMLDATA"> + <xsd:complexContent> + <xsd:restriction base="iodef:ExtensionType"> + <xsd:sequence> + <xsd:any namespace="##any" processContents="lax" minOccurs="0" + maxOccurs="unbounded"/> + </xsd:sequence> + <xsd:attribute name="dtype" type="iodef:dtype-type" + use="required" fixed="xml"/> + + + +Takahashi, et al. Standards Track [Page 18] + +RFC 7203 IODEF-SCI April 2014 + + + <xsd:attribute name="ext-dtype" type="xsd:string" + use="prohibited"/> + <xsd:attribute name="meaning" type="xsd:string"/> + <xsd:attribute name="formatid" type="xsd:string"/> + <xsd:attribute name="restriction" type="iodef:restriction-type"/> + </xsd:restriction> + </xsd:complexContent> +</xsd:complexType> +<xsd:complexType name="BasicStructure"> + <xsd:sequence> + <xsd:choice> + <xsd:element name="RawData" type="sci:XMLDATA" + minOccurs="0" maxOccurs="unbounded"/> + <xsd:element ref="iodef:Reference" minOccurs="0" + maxOccurs="unbounded"/> + </xsd:choice> + </xsd:sequence> + <xsd:attribute name="SpecID" type="xsd:string" use="required"/> + <xsd:attribute name="ext-SpecID" type="xsd:string"/> + <xsd:attribute name="ContentID" type="xsd:string"/> +</xsd:complexType> + +<xsd:element name="Scoring" type="sci:BasicStructure"/> +<xsd:element name="Platform" type="sci:BasicStructure"/> +<xsd:element name="EventReport" type="sci:BasicStructure"/> +<xsd:element name="Verification" type="sci:BasicStructure"/> +<xsd:element name="Remediation" type="sci:BasicStructure"/> +<xsd:element name="AttackPattern"> + <xsd:complexType> + <xsd:complexContent> + <xsd:extension base="sci:BasicStructure"> + <sequence> + <xsd:element ref="sci:Platform" minOccurs="0" + maxOccurs="unbounded"/> + </sequence> + </xsd:extension> + </xsd:complexContent> + </xsd:complexType> +</xsd:element> +<xsd:element name="Vulnerability"> + <xsd:complexType> + <xsd:complexContent> + <xsd:extension base="sci:BasicStructure"> + <sequence> + <xsd:element ref="sci:Platform" minOccurs="0" + maxOccurs="unbounded"/> + <xsd:element ref="sci:Scoring" minOccurs="0" + maxOccurs="unbounded"/> + + + +Takahashi, et al. Standards Track [Page 19] + +RFC 7203 IODEF-SCI April 2014 + + + </sequence> + </xsd:extension> + </xsd:complexContent> + </xsd:complexType> +</xsd:element> +<xsd:element name="Weakness"> + <xsd:complexType> + <xsd:complexContent> + <xsd:extension base="sci:BasicStructure"> + <sequence> + <xsd:element ref="sci:Platform" minOccurs="0" + maxOccurs="unbounded"/> + <xsd:element ref="sci:Scoring" minOccurs="0" + maxOccurs="unbounded"/> + </sequence> + </xsd:extension> + </xsd:complexContent> + </xsd:complexType> +</xsd:element> + +</xsd:schema> + +6. Security Considerations + + This document specifies a format for encoding a particular class of + security incidents appropriate for exchange across organizations. As + merely a data representation, it does not directly introduce security + issues. However, it is guaranteed that parties exchanging instances + of this specification will have certain concerns. For this reason, + the underlying message format and transport protocol used MUST ensure + the appropriate degree of confidentiality, integrity, and + authenticity for the specific environment. Specific security + considerations are detailed in the messaging and transport documents, + where the exchange of formatted information is automated; see + Sections 9 and 10 of "Real-time Inter-network Defense (RID)" + [RFC6545] and Section 4 of "Transport of Real-time Inter-network + Defense (RID) Messages over HTTP/TLS" [RFC6546] for a detailed + overview of security requirements and considerations. + + It is RECOMMENDED that organizations that exchange data using this + document develop operating procedures that consider, at a minimum, + the following areas of concern. + +6.1. Transport-Specific Concerns + + The underlying messaging format, IODEF, provides data markers to + indicate the sensitivity level of specific classes within the + structure as well as for the entire XML document. The "restriction" + + + +Takahashi, et al. Standards Track [Page 20] + +RFC 7203 IODEF-SCI April 2014 + + + attribute accomplishes this with four attribute values in IODEF + [RFC5070]. These values are RECOMMENDED for use at the application + level, prior to transport, to protect data as appropriate. A + standard mechanism to apply XML encryption using these attribute + values as triggers is defined in RID [RFC6545], Section 9.1. This + mechanism may be used whether or not the RID protocol [RFC6545] and + its associated transport binding [RFC6546] are used in the exchange + to provide object-level security on the data to prevent possible + intermediary systems or middleboxes from having access to the data + being exchanged. In areas where transmission security or secrecy is + questionable, the application of an XML digital signature [XMLDSIG] + and/or encryption on each report will counteract both of these + concerns. The data markers are RECOMMENDED for use by applications + for managing access controls; however, access controls and management + of those controls are out of scope for this document. Options such + as the usage of a standard language (e.g., eXtensible Access Control + Markup Language [XACML]) for the expression of authorization policies + can be used to enable source and destination systems to better + coordinate and align their respective policy expressions. + + Any transport protocol used to exchange instances of IODEF documents + MUST provide appropriate guarantees of confidentiality, integrity, + and authenticity. The use of a standardized security protocol is + encouraged. The RID protocol [RFC6545] and its associated transport + binding [RFC6546] provide such security with options for mutual + authentication session encryption and include application-level + concerns such as policy and workflow. + + The critical security concerns are that structured information may be + falsified, accessed by unintended entities, or become corrupt during + transit. We expect that each exchanging organization will determine + the need, and mechanism, for transport protection. + +6.2. Protection of Sensitive and Private Information + + For a complete review of privacy considerations when transporting + incident-related information, please see RID [RFC6545], Section 9.5. + Whether or not the RID protocol is used, the privacy considerations + are important to consider, as incident information is often sensitive + and may contain privacy-related information about individuals/ + organizations or endpoints involved. Organizations will often + require the establishment of legal reviews and formal policies that + outline specific details of what information can be exchanged with + specific entities. Typically, identifying information is anonymized + where possible and appropriate. In some cases, information brokers + are used to further anonymize the source of exchanged information so + that other entities are unaware of the origin of a detected threat, + whether or not that threat was realized. + + + +Takahashi, et al. Standards Track [Page 21] + +RFC 7203 IODEF-SCI April 2014 + + + It is RECOMMENDED that policies and procedures for the exchange of + cybersecurity information be established prior to participation in + data exchanges. Policy and workflow procedures for the exchange of + cybersecurity information often require executive-level approvals and + legal reviews to appropriately establish limits on what information + can be exchanged with specific organizations. RID [RFC6545], + Section 9.6 outlines options and considerations for application + developers to consider for policy and workflow design. + +6.3. Application and Server Security + + The cybersecurity information extension is merely a data format. + Applications and transport protocols that store or exchange IODEF + documents using information that can be represented through this + extension will be a target for attacks. It is RECOMMENDED that + systems and applications storing or exchanging this information be + properly secured, have minimal services enabled, and maintain access + controls and monitoring procedures. + +7. IANA Considerations + + This document uses URNs to describe XML namespaces and XML schemata + [XMLschemaPart1] [XMLschemaPart2] conforming to a registry mechanism + described in [RFC3688]. + + The following IODEF structured cybersecurity information extension + namespace has been registered: + + URI: urn:ietf:params:xml:ns:iodef-sci-1.0 + + Registrant Contact: Refer to the Authors' Addresses section of + this document. + + XML: None. + + The following IODEF structured cybersecurity information extension + XML schema has been registered: + + URI: urn:ietf:params:xml:schema:iodef-sci-1.0 + + Registrant Contact: Refer to the Authors' Addresses section of + this document. + + XML: Refer to the XML schema in Section 5.2 of this document. + + + + + + + +Takahashi, et al. Standards Track [Page 22] + +RFC 7203 IODEF-SCI April 2014 + + + This memo creates the following registry, which is managed by IANA: + + Name of the registry: "Structured Cybersecurity Information (SCI) + Specifications" + + Name of its parent registry: "Incident Object Description Exchange + Format (IODEF)" + + URL of the registry: <http://www.iana.org/assignments/iodef> + + Namespace details: A registry entry for a Structured Cybersecurity + Information Specification (SCI specification) consists of: + + Namespace: A URI [RFC3986] that identifies the XML namespace + used by the registered SCI specification. In the case where + the registrant does not request a particular URI, the IANA will + assign it a Uniform Resource Name (URN) that follows RFC 3553 + [RFC3553]. + + Specification Name: A string containing the spelled-out name of + the SCI specification in human-readable form. + + Reference URI: A list of one or more of the URIs [RFC3986] from + which the registered specification can be obtained. The + registered specification MUST be readily and publicly available + from that URI. + + Applicable Classes: A list of one or more of the extension + classes specified in Section 4.5 of this document. The + registered SCI specification MUST only be used with the + extension classes in the registry entry. + + Information that must be provided to assign a new value: The above + list of information. + + Fields to record in the registry: Namespace/Specification Name/ + Version/Reference URI/Applicable Classes. Note that it is not + necessary to include a defining reference for all assignments in + this new registry. + + Initial registry contents: Only one entry, with the following + values: + + Namespace: urn:ietf:params:xml:ns:mile:mmdef:1.2 + + Specification Name: Malware Metadata Exchange Format + + Version: 1.2 + + + +Takahashi, et al. Standards Track [Page 23] + +RFC 7203 IODEF-SCI April 2014 + + + Reference URI: + + <http://standards.ieee.org/develop/indconn/icsg/mmdef.html>, + <http://grouper.ieee.org/groups/malware/malwg/Schema1.2/> + + Applicable Classes: AttackPattern + + Allocation policy: Specification Required (which includes Expert + Review) [RFC5226]. + + The Designated Expert is expected to consult with the MILE (Managed + Incident Lightweight Exchange) working group, or its successor if any + such working group exists (e.g., via email to the working group's + mailing list). The Designated Expert is expected to retrieve the SCI + specification from the provided URI in order to check the public + availability of the specification and verify the correctness of the + URI. An important responsibility of the Designated Expert is to + ensure that the registered applicable classes are appropriate for the + registered SCI specification. + +8. Acknowledgments + + We would like to acknowledge David Black from EMC, who kindly + provided generous support, especially on the IANA registry issues. + We also would like to thank Jon Baker from MITRE, Eric Burger from + Georgetown University, Paul Cichonski from NIST, Panos Kampanakis + from Cisco, Ivan Kirillov from MITRE, Pearl Liang from IANA, Robert + Martin from MITRE, Alexey Melnikov from Isode, Thomas Millar from + US-CERT, Kathleen Moriarty from EMC, Lagadec Philippe from NATO, Sean + Turner from IECA, Inc., Anthony Rutkowski from Yaana Technology, + Brian Trammell from ETH Zurich, David Waltermire from NIST, James + Wendorf from IEEE, and Shuhei Yamaguchi from NICT, for their sincere + discussion and feedback on this document. + +9. References + +9.1. Normative References + + [MMDEF] ICSG Malware Metadata Exchange Format Working Group, + "Malware Metadata Exchange Format", IEEE Standards + Association, November 2011, + <http://grouper.ieee.org/groups/malware/malwg/Schema1.2/>. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + + + + + +Takahashi, et al. Standards Track [Page 24] + +RFC 7203 IODEF-SCI April 2014 + + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, + RFC 3986, January 2005. + + [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident + Object Description Exchange Format", RFC 5070, + December 2007. + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + May 2008. + + [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", + RFC 6545, April 2012. + + [RFC6546] Trammell, B., "Transport of Real-time Inter-network + Defense (RID) Messages over HTTP/TLS", RFC 6546, + April 2012. + + [XML1.0] Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E., and + F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth + Edition)", W3C Recommendation, November 2008, + <http://www.w3.org/TR/xml/>. + + [XMLschemaPart1] + Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, + "XML Schema Part 1: Structures Second Edition", W3C + Recommendation, October 2004, + <http://www.w3.org/TR/xmlschema-1/>. + + [XMLschemaPart2] + Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes + Second Edition", W3C Recommendation, October 2004, + <http://www.w3.org/TR/xmlschema-2/>. + + [XMLNames] + Bray, T., Hollander, D., Layman, A., Tobin, R., and H. + Thompson, "Namespaces in XML 1.0 (Third Edition)", W3C + Recommendation, December 2009, + <http://www.w3.org/TR/xml-names/>. + + + + + + + + + + + +Takahashi, et al. Standards Track [Page 25] + +RFC 7203 IODEF-SCI April 2014 + + +9.2. Informative References + + [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An + IETF URN Sub-namespace for Registered Protocol + Parameters", BCP 73, RFC 3553, June 2003. + + [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, + January 2004. + + [CAPEC] The MITRE Corporation, "Common Attack Pattern Enumeration + and Classification (CAPEC)", <http://capec.mitre.org/>. + + [CCE] National Institute of Standards and Technology, "Common + Configuration Enumeration (CCE)", + <http://nvd.nist.gov/cce/index.cfm>. + + [CCSS] Scarfone, K. and P. Mell, "The Common Configuration + Scoring System (CCSS): Metrics for Software Security + Configuration Vulnerabilities", NIST Interagency + Report 7502, December 2010, <http://csrc.nist.gov/ + publications/nistir/ir7502/nistir-7502_CCSS.pdf>. + + [CEE] The MITRE Corporation, "Common Event Expression (CEE)", + <http://cee.mitre.org/>. + + [CPE] National Institute of Standards and Technology, "Common + Platform Enumeration", June 2011, + <http://scap.nist.gov/specifications/cpe/>. + + [CVE] The MITRE Corporation, "Common Vulnerabilities and + Exposures (CVE)", <http://cve.mitre.org/>. + + [CVRF] ICASI, "The Common Vulnerability Reporting Framework + (CVRF)", <http://www.icasi.org/cvrf>. + + [CVSS] Mell, P., Scarfone, K., and S. Romanosky, "The Common + Vulnerability Scoring System (CVSS) and Its Applicability + to Federal Agency Systems", NIST Interagency Report 7435, + August 2007, <http://csrc.nist.gov/publications/nistir/ + ir7435/NISTIR-7435.pdf>. + + [CWE] The MITRE Corporation, "Common Weakness Enumeration + (CWE)", <http://cwe.mitre.org/>. + + [CWSS] The MITRE Corporation, "Common Weakness Scoring System + (CWSS(TM))", <http://cwe.mitre.org/cwss/>. + + + + + +Takahashi, et al. Standards Track [Page 26] + +RFC 7203 IODEF-SCI April 2014 + + + [EICAR] EICAR - European Expert Group for IT-Security, + "Anti-Malware Testfile", 2003, + <http://www.eicar.org/86-0-Intended-use.html>. + + [MAEC] The MITRE Corporation, "Malware Attribute Enumeration and + Characterization", <http://maec.mitre.org/>. + + [OCIL] Waltermire, D., Scarfone, K., and M. Casipe, + "Specification for the Open Checklist Interactive Language + (OCIL) Version 2.0", NIST Interagency Report 7692, + April 2011, <http://csrc.nist.gov/publications/nistir/ + ir7692/nistir-7692.pdf>. + + [OVAL] The MITRE Corporation, "Open Vulnerability and Assessment + Language (OVAL)", <http://oval.mitre.org/>. + + [SCAP] Waltermire, D., Quinn, S., Scarfone, K., and A. + Halbardier, "The Technical Specification for the Security + Content Automation Protocol (SCAP): SCAP Version 1.2", + NIST Special Publication 800-126 Revision 2, + September 2011, <http://csrc.nist.gov/publications/ + nistpubs/800-126-rev2/SP800-126r2.pdf>. + + [XACML] Rissanen, E., "eXtensible Access Control Markup Language + (XACML) Version 3.0", January 2013, + <http://docs.oasis-open.org/xacml/3.0/ + xacml-3.0-core-spec-os-en.pdf>. + + [XCCDF] Waltermire, D., Schmidt, C., Scarfone, K., and N. Ziring, + "Specification for the Extensible Configuration Checklist + Description Format (XCCDF) version 1.2 (DRAFT)", NIST + Interagency Report 7275, Revision 4, September 2011, + <http://csrc.nist.gov/publications/nistir/ir7275-rev4/ + NISTIR-7275r4.pdf>. + + [XMLDSIG] W3C Recommendation, "XML Signature Syntax and Processing + (Second Edition)", June 2008, + <http://www.w3.org/TR/xmldsig-core/>. + + + + + + + + + + + + + +Takahashi, et al. Standards Track [Page 27] + +RFC 7203 IODEF-SCI April 2014 + + +Authors' Addresses + + Takeshi Takahashi + National Institute of Information and Communications Technology + 4-2-1 Nukui-Kitamachi Koganei + 184-8795 Tokyo + Japan + + Phone: +80 423 27 5862 + EMail: takeshi_takahashi@nict.go.jp + + + Kent Landfield + McAfee, Inc. + 5000 Headquarters Drive + Plano, TX 75024 + USA + + EMail: Kent_Landfield@McAfee.com + + + Youki Kadobayashi + Nara Institute of Science and Technology + 8916-5 Takayama, Ikoma + 630-0192 Nara + Japan + + EMail: youki-k@is.aist-nara.ac.jp + + + + + + + + + + + + + + + + + + + + + + + +Takahashi, et al. Standards Track [Page 28] + |