1. DOCUMENT #:GSC15-GTSC-07 FOR:Presentation SOURCE:ITU-T AGENDA ITEM:4.2 CONTACT(S):chen.jianyong@zte.com.cn An overview of the Cybersecurity Information Exchange Framework CYBEX Jianyong CHEN SG 17 Vice Chairman Global Standards Collaboration (GSC) GSC-15

2. CYBEX Focus Contractual service agreements and federations Deny resources Intergovernment al agreements and cooperation Tort & indemnification Regulatory/ administrative law Criminal law Legal remedies may also institute protective measures Data retention and auditing Identity Management Forensics & heuristics analysis Provide data for analysis Encryption/ VPNs esp. for signalling Resilient infrastructure Routing & resource constraints Network/ application state & integrity Real-time data availability Measures for protection Measures for threat detection Blacklists & whitelists Vulnerability notices Investigation & measure initiation Measures for thwarting and other remedies Legal Remedies What cybersecurity model? Capabilities Supported Information exchange Provide basis for legal remedies Patch development Provide basis for actions Reputation sanctions Provide awareness of vulnerabilities and remedies 2

3. Cybersecurity Information acquisition (out of scope) Cybersecurity Entities Cybersecurity Information use (out of scope) Cybersecurity Entities The basic CYBEX model  structuring information  identifying and discovering objects  requesting and responding with information  exchanging information over networks  assured cybersecurity information exchanges 3

4. To whom and to what does CYBEX apply?  Because the CYBEX framework provides technology neutral information exchange specifications for cybersecurity, it can be applied by any system or product using a network any vendor, service provider, or network operator any agency or organization specifying, managing, or regulating the above  The specifications are especially relevant to Computer Incident Response Teams (CIRTS) that must exchange incident information Law enforcement authorities that must receive forensics Any entity that must deal with the above 4

5. OVAL Open Vulnerability and Assessment Language CWE Common Weakness Enumeration CVE Common Vulnerabilities and Exposures CPE Common Platform Enumeration CVSS Common Vulnerability Scoring System SCAP Security Content Automation Protocol CWSS Common Weakness Scoring System CCE Common Configuration Enumeration XCCDF eXensible Configuration Checklist Description Format ARF Assessment Result Format CEE Common Event Expression IODEF Incident Object Description Exchange Format CAPEC Common Attack Pattern Enumeration and Classification IODEF extensions Phishing, Fraud, and Misuse Format Events, Incidents, & Heuristics Exchange Vulnerability and State Exchange MAEC Malware Attribution Enumeration and Characteriz- ation Format Plus CPE, CWE, CVE, CEE and OVAL for low- level observables 5 Highlights of current activities Specifications and Relationship Close collaboration with FIRST (Forum of Incident Response and Security Teams) FIRST becomes observer of GSC

6. Exchange Cluster Challenges: How to identify, enable discovery, trust, and exchange information? (1/2) Identity Assurance Cluster Authentication Assurance Methods Authentication Assurance Methods Authentication Assurance Levels Discovery Enabling Cluster for parties, standards, schema, enumerations, instances and other objects Common Namespace Discovery enabling mechanisms Request and distribution mechanisms Interaction Security Transport Security Authentication Assurance Platforms Authentication Assurance Platforms 6

7. Vulnerability/State Exchange ClusterEvent/Incident/Heuristics Exchange Cluster Challenges: How to identify, enable discovery, trust, and exchange information? (2/2) Evidence Exchange Cluster Handover of real time forensics Handover of retained data forensics Event Expressions Extensions for: DPI Traceback Smartgrid Phishing Extensions for: DPI Traceback Smartgrid Phishing Malware Patterns Incident and Attack Patterns Electronic Evidence Discovery Knowledge Base Weaknesses Vulnerabilities and Exposures Platforms State Assessment Results Security State Measurement Configuration Checklists Terms and conditions 7

8. Next Steps/Actions  Will provide three essential capabilities for any system or service: Determining cyber-integrity of systems and services in a measurable way Detecting and exchanging incident information to improve cyber-integrity Providing forensics, when necessary, to appropriate authorities  Includes Means for identifying, enumerating and exchanging knowledge about weaknesses, vulnerabilities, incidents Measurable assurance (trust) for information and parties involved  Extensible to any kinds of networks, services, or platforms – present and future Applicable to Clouds, Online Transaction Security, Smartgrids, eHealth, …  Open standards – most imported into ITU-T, published & maintained in multiple languages, and freely downloadable as X-series specifications  Excludes Specific implementations (i.e., CYBEX is technology neutral) How to implement  CYBEX Framework and some initial stable specifications ready by Dec 2010  Potentially ~20 additional in 2011-2012 timeframe 8

9. Next Steps/Actions X.sisfreqCapabilities and their context scenarios for cybersecurity information sharing and exchange X.cybexCybersecurity information exchange framework X.cveCommon Vulnerabilities and Exposures X.cvssCommon vulnerability scoring system X.gopwGuideline on preventing malicious code spreading in a data communication network X.alertingProcedures for the registration of arcs under the Alerting object identifier arc X.1205 Supplement 8 Draft Supplement to X.series Recommendation - ITU-T X.1205 – Supplement on best practices against botnet threats 31 Recommendations and 1 Supplement are in development. Among them, X.1209 (X.sisfreq) and X Suppl.8 are planned to be approved and the five other Recommendations below are planned for determination in December 2010

10. Conclusions  Cybex can achieve enhanced cybersecurity and infrastructure protection, as well as accomplishing the principal functions performed by CIRTS and providing Law enforcement authorities.  Enable discovery, measurable assurance and enable exchange are three essential technical capabilities of Cybex.  GSC-15 should continue GSC14/11 Resolution with some necessary editorial updates

11. Supplementary Slides 11

12. Weblinks ITU-T Cybersecurity Portal - http://www.itu.int/cybersecurity/http://www.itu.int/cybersecurity/ SG17 - http://www.itu.int/ITU-T/studygroups/com17/index.asphttp://www.itu.int/ITU-T/studygroups/com17/index.asp CYBEX web page - http://www.itu.int/ITU-T/studygroups/com17/cybex/index.htmlhttp://www.itu.int/ITU-T/studygroups/com17/cybex/index.html SG17 Q4 List of Network Forensics and Vulnerability Organisations - http://www.itu.int/ITU-T/studygroups/com17/nfvo/index.html FIRST - http://www.first.org/http://www.first.org/ ENISA - http://www.enisa.europa.eu/http://www.enisa.europa.eu/ 12

13. Who is involved*: it takes a global village Comparable government agencies of other countries/regions Other Bodies Vendors/Service Providers Australia, Canada, China, EU, Germany, Kenya, Korea, Japan, Netherlands, Russia, Switzerland, Syria, UK, USA (potentially 191 countries) Anatel, China Unicom, Cisco, CNRI, France Telecom, Huawei, Intel, KDDI, LAC, Microsoft, Nokia Siemens, NTT, Syrian Telecom, Telcordia, Verizon, Yaana, ZTE APWG, CA/B Forum, BIS, CCDB, CNIS, ETSI, FIRST, GSC, IEEE ICSG, IETF, ISO SC6:SC27:TC68, other ITU-T SGs, ITU-D, ITU-R, MITRE, NSTAC, OASIS * ITU-T Q4/17 participants and contributors. Does not include scores more in development communities 13