Extended Incident Handling BOF (inch)

Monday, December 10 at 1300-1500
=================================

CHAIRS: Yuri Demchenko <demch@terena.nl> 
	Roman Danyliw <rdd@cert.org>

Mailing list info:

Incident Object Description and Exchange Format: iodef@terena.nl
To subscribe send this message to majordomo@terena.nl:
       subscribe iodef your_real_name <your_mail_address>
Mailing List Archive:
http://hypermail.terena.nl/iodef-list/mail-archive/


Agenda:

1. Agenda bashing and introductions (5 min)
2. Problem statement and the scope of work - RD (10 min)
3. Requirements for such a standard (including analysis of the current 
   IODEF requirements) - RD, JM
   3.1. Representation issues (i.e. what data needs to be in the 
        standard)- RD (10 min)
   3.2. How a standard would affect the CSIRT workflow - JM (15 min)
4. Current IODEF development
   4.1. Work of IODEF WG - JM (10 min)
   4.2. IODEF Design principles (including relation to IDMEF) 
        - YD (15 min)
   4.3. Presentation of current IODEF Data Model and XML DTD 
        document - RD (15 min)
5. Discussion: How to proceed and proposed Charter (30 min)
6. Conclusions (next steps, interest level, etc.) (15 min)

RD - Roman Danyliw
YD - Yuri Demchenko
JM - Jan Meijer


BOF Description
---------------

Problem statement

Just as the Internet on which they occur, computer security incidents
are distributed and potentially involve multiple Computer Security
Incident Response Teams (CSIRTs) across national borders, languages and
cultures.  The exchange of incident information and statistics among
CSIRTS is important for both reactionary analysis of current intruder
activity and proactive identification of trends that can lead to
incident prevention. 

There is also practical need to integrated relevant computer security
information (e.g., vulnerability and virus databases) into Incident
Handling Systems used by CSIRTs.

Background

Understanding the advantages of collaboration, there were several
attempts to establish information exchange between CSIRTs in Europe and
among the FIRST community. 

>From these collaborative efforts, it was noted that the key element for
information exchange is a standard format for describing an Incident
(Object).

There is ongoing work on development of the Incident Object Description
and Exchange Format (IODEF) in the frame of IODEF WG at TERENA
(http://www.terena.nl/task-forces/tf-csirt/iodef/).

The purpose of the IODEF is to define a common data format for the
description, archiving and exchange of information about incidents
between CSIRTs (including alert, incident in investigation, archiving,
statistics, reporting, etc.). Recently published RFC 3067 on the IODEF
requirements describes the high-level requirements (and the rational
behind them) for such a description and exchange format.

The issue targeted by developing IODEF is the need to have a higher
level Incident description and exchange format than will be provided the
Intrusion Detection WG's (IDWG) proposed Intrusion Detection Message
Exchange Format (IDMEF).  

The IODEF and IDMEF are not competing standards, but rather compliments
to each other.  Compatibility with IDMEF and other related standards is
an obligatory requirement to IODEF. IODEF should vertically be
compatible with IDMEF.  For example, IODEF should be able to include or
reference IDMEF Alert message as initial information about Incident.

In September 2001, a pilot project has started at two European CSIRTs
who will develop modules to use IODEF to exchange incident information
between their existing Incident Handling systems. This project will
provide real-world input to finalize the structure and details of the
current draft incident data model.

Standardizing the representation of a security incident has been
discussed at numerous TF-CSIRT seminars and FIRST conferences (two IODEF
BoF had been held at FIRST12-2000 and FIRST13-2001), which demonstrated
wide interest from both the CSIRT community and commercial security
companies.


BOF purpose

The purpose of this BoF is to discuss the completeness and future
direction of the IODEF as a standard format for a computer security
incident.  The data model is currently being validated against 
real-world incidents. Therefore, feedback on its ability to describe 
the various facets of CSIRT-to-CSIRT communication is desired.

There is every intention to extend the work of the IETF IDWG in
representing incidents as higher-level elements of Network Security.
This issue was discussed at the last IDWG meeting at IETF50 and found
broad support from the group.  

Additional information

Incident Taxonomy and Description Working Group at TERENA
http://www.terena.nl/task-forces/tf-csirt/iodef/

RFC 3067 TERENA's Incident Object Description and Exchange Format
Requirements
http://www.ietf.org/rfc/rfc3067.txt

Best Current Practice on Incident classification and reporting schemes. 
Version 1.0
> http://www.terena.nl/task-forces/tf-csirt/iodef/docs/BCPreport1.rtf

Incident Object Description and Exchange Format Data Model and 
Extensible Markup Language (XML) Document Type Definition 
(Pre-draft Version 0.03) - 1 December 2001 
> http://www.terena.nl/task-forces/tf-csirt/iodef/docs/draft-terena-iodef-xml-003.txt

Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model
Analysis
http://www.ietf.org/proceedings/01mar/slides/idwg-5/index.html