draft-ietf-mile-rfc5070-bis-25.txt   draft-ietf-mile-rfc5070-bis-26.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070, 6685 (if approved) June 24, 2016 Obsoletes: 5070, 6685 (if approved) October 5, 2016
Intended status: Standards Track Intended status: Standards Track
Expires: December 26, 2016 Expires: April 8, 2017
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-25 draft-ietf-mile-rfc5070-bis-26
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for security incident reports and indicators data representation for security incident reports and indicators
commonly exchanged by operational security teams for mitigation and commonly exchanged by operational security teams for mitigation and
watch and warning. This document describes an updated information watch and warning. This document describes an updated information
model for the IODEF and provides an associated data model specified model for the IODEF and provides an associated data model specified
with XML Schema. This new information and data model obsoletes with XML Schema. This new information and data model obsoletes
Request for Comment (RFC) 5070 and 6685. Request for Comment (RFC) 5070 and 6685.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 26, 2016. This Internet-Draft will expire on April 8, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 46 skipping to change at page 2, line 46
2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11
2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11
2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12
2.14. Identifiers and Identifier References . . . . . . . . . . 12 2.14. Identifiers and Identifier References . . . . . . . . . . 12
2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12
2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13
2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 15 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 14
3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 19 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 18
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 24 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 23
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 24 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 24
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 25 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 25
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 26 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 25
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 27 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 27
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 28 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 28
3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29
3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 32 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 32
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34
3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35
3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36
3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 39 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 38
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 40 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 39
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 41 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 40
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41
3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 44 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 43
3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 46 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 45
3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 48 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 47
3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 50 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 49
3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 51 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 50
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 52 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 51
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54
3.14.1. Relating the Incident and EventData Classes . . . . 57 3.14.1. Relating the Incident and EventData Classes . . . . 56
3.14.2. Recursive Definition of EventData . . . . . . . . . 57 3.14.2. Recursive Definition of EventData . . . . . . . . . 56
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 58 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 57
3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 61 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 60
3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61
3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 65 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 64
3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 66 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 65
3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 67 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 66
3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 70 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 70
3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 73 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 72
3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 75 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 74
3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 76 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 75
3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 76 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 75
3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 78 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 77
3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 79 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 78
3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 79 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78
3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 81 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 80
3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 82 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 81
3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 83 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 82
3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 85 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84
3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 86 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85
3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 87 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 86
3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 87 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 86
3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 88 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 87
3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 89 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 88
3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 90 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89
3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 92 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91
3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 92 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91
3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 93 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 92
3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 94 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93
3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 94 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 97 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 97 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 98 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 104 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103
3.29.5. Expressions with IndicatorExpression . . . . . . . . 106 3.29.5. Expressions with IndicatorExpression . . . . . . . . 105
3.29.6. ObservableReference Class . . . . . . . . . . . . . 107 3.29.6. ObservableReference Class . . . . . . . . . . . . . 106
3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 108 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 107
3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 109 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 108
4. Processing Considerations . . . . . . . . . . . . . . . . . . 109 4. Processing Considerations . . . . . . . . . . . . . . . . . . 108
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 110 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 109
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 110 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 109
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 110 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 111 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 110
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 112 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 111
5.1. Extending the Enumerated Values of Attributes . . . . . . 112 5.1. Extending the Enumerated Values of Attributes . . . . . . 111
5.1.1. Private Extension of Enumerated Values . . . . . . . 112 5.1.1. Private Extension of Enumerated Values . . . . . . . 111
5.1.2. Public Extension of Enumerated Values . . . . . . . . 113 5.1.2. Public Extension of Enumerated Values . . . . . . . . 112
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 113 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 112
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 115 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 114
6. Internationalization Issues . . . . . . . . . . . . . . . . . 116 6. Internationalization Issues . . . . . . . . . . . . . . . . . 115
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 117 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 116
7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 117 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 116
7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 117 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116
8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 119 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 118
9. Security Considerations . . . . . . . . . . . . . . . . . . . 158 9. Security Considerations . . . . . . . . . . . . . . . . . . . 157
9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 158 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 159 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 158
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 160 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 159
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 160 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 159
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 161 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 160
10.3. Expert Review of IODEF-Related XML Registry Entries . . 164 10.3. Expert Review of IODEF-Related XML Registry Entries . . 163
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 164 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 163
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 164 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 163
12.1. Normative References . . . . . . . . . . . . . . . . . . 164 12.1. Normative References . . . . . . . . . . . . . . . . . . 163
12.2. Informative References . . . . . . . . . . . . . . . . . 167 12.2. Informative References . . . . . . . . . . . . . . . . . 166
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 168 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 167
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a filter attack traffic, contacting a remote site to take down a
botnet, or sharing watch-lists of known malicious indicators in a botnet, or sharing watch-lists of known malicious indicators in a
consortium. consortium.
skipping to change at page 11, line 18 skipping to change at page 11, line 18
represented in the information model by the DATETIME data type. represented in the information model by the DATETIME data type.
Ranges are not supported. Ranges are not supported.
The DATETIME data type is implemented in the data model as a The DATETIME data type is implemented in the data model as a
"xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES]. "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].
2.8. Timezone String 2.8. Timezone String
A timezone offset from UTC is represented in the information model by A timezone offset from UTC is represented in the information model by
the TIMEZONE data type. It is formatted according to the following the TIMEZONE data type. It is formatted according to the following
regular expression: regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
"Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9](:[0-5][0-9])?".
The TIMEZONE data type is implemented in the data model as an The TIMEZONE data type is implemented in the data model as an
"iodef:TimezoneType" type. "iodef:TimezoneType" type.
2.9. Port Lists 2.9. Port Lists
A list of network ports is represented in the information model by A list of network ports is represented in the information model by
the PORTLIST data type. A PORTLIST consists of a comma-separated the PORTLIST data type. A PORTLIST consists of a comma-separated
list of numbers and ranges (N-M means ports N through M, inclusive). list of numbers and ranges (N-M means ports N through M, inclusive).
It is formatted according to the following regular expression: It is formatted according to the following regular expression:
skipping to change at page 155, line 7 skipping to change at page 154, line 7
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:simpleType name="PortlistType"> <xs:simpleType name="PortlistType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="TimezoneType"> <xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:pattern <xs:pattern
value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9](:[0-5][0-9])?"/> value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:complexType name="ExtensionType" mixed="true"> <xs:complexType name="ExtensionType" mixed="true">
<xs:sequence> <xs:sequence>
<xs:any namespace="##any" processContents="lax" <xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="name" type="xs:string" use="optional"/> <xs:attribute name="name" type="xs:string" use="optional"/>
<xs:attribute name="dtype" <xs:attribute name="dtype"
 End of changes. 15 change blocks. 
85 lines changed or deleted 84 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/