Presentation is loading. Please wait.

Presentation is loading. Please wait.

IODEF Incident Data Exchange Format Rhodes, 8 June 2004 Jan Meijer.

Published byClifton Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "IODEF Incident Data Exchange Format Rhodes, 8 June 2004 Jan Meijer."— Presentation transcript:

1 IODEF Incident Data Exchange Format http://www.iodef.org/ Rhodes, 8 June 2004 Jan Meijer

2 2 The Problem Security incidents DO occur and DO NOT magically disappear This requires...people

3 3 Many actors involved in handling incidents CSIRT capabilities Sysadmins Endusers Management, legal, police, propaganda

4 4 They all communicate What Where When How Who Why to fix a problem and get on with 'it'

5 5 Example report From abuse@xxxxxxxxxxxxx.com Date: Tue, 2 May 2004 01:27:10 +0000 (GMT) From: abuse@xxxxxxxxxxxxp.com To: info@surfnet.nl, abuse@surfnet.nl, netmaster@xxxxx.nl, abuse@xxxxxxx.nl, Guido.Aben@surfnet.nl Subject: Report of abuse from x.x.x.196 (196pc223.xxxxxxxx.nl) Dear Sirs, We would wish to report abuse from one of your users. This user has attempted a hack technique upon our server. The attack occured at 5-Jun-04 00h57GMT, and was from IP x.x.x.196 (196pc223.xxxxxxxxx.nl) We would be grateful if you could investigate this user and take appropriate action. Please inform us of the result of your investigation. We appreciate your cooperation in reporting this incident to the proper authorities. Best regards,

6 6 The IODEF idea Exchange format Unambiguous Codify how to 'say' what, where, how, when, who Machine parseable Automate the load and generalize the automation Enabler for all sorts of niceties: statistics, trend-prediction etc.

7 7 SURFnet-CERT#99999 Scan from xxx.xxx.223.75 on port 2745/tcp (6 attempts) None 2004-05-19T03:36:37+0000 SURFnet-CERT cert@surfnet.nl (+31)302305305 GMT+0200 We would most appreciate if you could investigate, and deal with the offender as per your internal policies 2004-05-18T08:01:23+0000 xxx.xxx.223.75 Logs (5 lines at the most) May 18 10:01:23 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: 1-4093 xxx.xxx.223.75:3703->xxx.xx.84.83:2745 May 18 10:50:26 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: 1-4093 xxx.xxx.223.75:1621->xxx.xx.84.39:2745 May 18 10:52:03 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: 1-4093 xxx.xxx.223.75:4408->xxx.xx.84.244:2745 May 18 11:00:42 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: 1-4093 xxx.xxx.223.75:4352->xxx.xx.85.15:2745 May 18 11:20:44 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: 1-4093 xxx.xxx.223.75:3727->xxx.xx.85.78:2745

8 8 Chronology 1999: IODEF WG@TF-CSIRT 2001: RFC 3067, Requirements for IODEF 2002: Established IETF-INCH WG 2003: libIH (AirCERT), eCSIRT.net, AsiaPac activities 2004: RID, simplification drive and need for exchange protocol in INCH

9 9 Deficiencies Datamodel is large, and complex Ambiguous Need profiling for use Not all data is easily mapped in IODEF Does IODEF make daily life (handling incidents) easier? “Overengineered”

10 10 Outlook INCH continues TF-CSIRT will experiment with buildingblocks for an incident-data exchange network TF-CSIRT will closely follow INCH We need to (and will) revisit our assumptions and will make something work to make life easier Which might actually turn out to be IODEF :)

Download ppt "IODEF Incident Data Exchange Format Rhodes, 8 June 2004 Jan Meijer."

Similar presentations

Presentation by May Ikeora 6th June 2013

Presentation by May Ikeora 6th June 2013
h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.
The Electronic Office Some supplementary information Corporate websites Office automation Company intranet.

The Electronic Office Some supplementary information Corporate websites Office automation Company intranet.
Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko.

Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.

SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.
1 Visualizer for Audit Graphical Business Intelligence Display & Analysis Tool.

1 Visualizer for Audit Graphical Business Intelligence Display & Analysis Tool.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.

Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.
Security and Digital Recording System Students: Gadi Marcu, Tomer Alon Number:D1123 Supervisor: Erez Zilber Semester:Spring 2004 Mid Semester Presentation.

Security and Digital Recording System Students: Gadi Marcu, Tomer Alon Number:D1123 Supervisor: Erez Zilber Semester:Spring 2004 Mid Semester Presentation.
INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.

INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Where Do I Start? What Do I Automate? Melissa Henley Director of Marketing Communications.

Where Do I Start? What Do I Automate? Melissa Henley Director of Marketing Communications.
Security and Digital Recording System Students: Gadi Marcu, Tomer Alon Supervisor: Erez Zilber Semester:Spring 2004 Characterization Presentation.

Security and Digital Recording System Students: Gadi Marcu, Tomer Alon Supervisor: Erez Zilber Semester:Spring 2004 Characterization Presentation.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
MIT Libraries’ FileMaker Use Policy as an example local DLC policy.

MIT Libraries’ FileMaker Use Policy as an example local DLC policy.

Similar presentations

Ads by Google