IODEF Incident Data Exchange Format Rhodes, 8 June 2004 Jan Meijer.

Slides:

Advertisements

Similar presentations

Presentation by May Ikeora 6th June 2013

Advertisements

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.

The Electronic Office Some supplementary information Corporate websites Office automation Company intranet.

Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko.

FIREWALLS Chapter 11.

SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.

1 Visualizer for Audit Graphical Business Intelligence Display & Analysis Tool.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.

Security and Digital Recording System Students: Gadi Marcu, Tomer Alon Number:D1123 Supervisor: Erez Zilber Semester:Spring 2004 Mid Semester Presentation.

INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Where Do I Start? What Do I Automate? Melissa Henley Director of Marketing Communications.

Security and Digital Recording System Students: Gadi Marcu, Tomer Alon Supervisor: Erez Zilber Semester:Spring 2004 Characterization Presentation.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

MIT Libraries’ FileMaker Use Policy as an example local DLC policy.

1 Visualizer for Firewall Graphical Business Intelligence Display & Analysis Tool.

EGEE is a project funded by the European Union under contract IST JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.

EGEE is a project funded by the European Union under contract IST Standards and Practices in Operational Security Yuri Demchenko, AIRG UvA.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.

Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.

Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.

Problem Determination Your mind is your most important tool!

COEN 252 Computer Forensics Collecting Network-based Evidence.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Incident Object Description and Exchange Format

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.

Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

EGEE is a project funded by the European Union under contract IST Grid Security Incident definition and format Yuri Demchenko, AIRG UvA JSG.

1 Policy-based architecture. 2 Policy management view of the architecture IP MMed domain is a converged services domain where voice, video, data are provided.

Data Communications and Networks

TCOM Information Assurance Management System Hacking.

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

© 2005,2006 NeoAccel Inc. Partners Presentation Authentication & Access Control.

SMTP Tapu Ahmed Jeremy Nunn. Basics Responsible for electronic mail delivery. Responsible for electronic mail delivery. Simple ASCII protocol that runs.

Doc.: IEEE /0175r2 Submission June 2011 Slide 1 FCC TVWS Terminology Date: Authors: Peter Ecclesine, Cisco.

Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.

Role Of Network IDS in Network Perimeter Defense.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

Programmer Support. Our Primary Goal: Reproduce the Problem.

INCident Handling BOF (INCH) Thursday, March IETF 53.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

PRESENTED BY : Bhupendra Singh

Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.

Incident Object Description and Exchange Format

IDS/IPS Intrusion Detection System/ Intrusion Prevention System.

ETSI–3GPP NGN ACTIVITIES

ETSI–3GPP NGN ACTIVITIES

Backdoor Attacks.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.

Prepared By : Pina Chhatrala

Common SQL Server Mistakes and How to Avoid Them

Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009

Nessus Vulnerability Scanning

Hacking Windows Damian Gordon.

ETSI–3GPP NGN ACTIVITIES

Incident Object Description and Exchange Format

Presentation transcript:

IODEF Incident Data Exchange Format Rhodes, 8 June 2004 Jan Meijer

2 The Problem Security incidents DO occur and DO NOT magically disappear This requires...people

3 Many actors involved in handling incidents CSIRT capabilities Sysadmins Endusers Management, legal, police, propaganda

4 They all communicate What Where When How Who Why to fix a problem and get on with 'it'

5 Example report From Date: Tue, 2 May :27: (GMT) From: To: Subject: Report of abuse from x.x.x.196 (196pc223.xxxxxxxx.nl) Dear Sirs, We would wish to report abuse from one of your users. This user has attempted a hack technique upon our server. The attack occured at 5-Jun-04 00h57GMT, and was from IP x.x.x.196 (196pc223.xxxxxxxxx.nl) We would be grateful if you could investigate this user and take appropriate action. Please inform us of the result of your investigation. We appreciate your cooperation in reporting this incident to the proper authorities. Best regards,

6 The IODEF idea Exchange format Unambiguous Codify how to 'say' what, where, how, when, who Machine parseable Automate the load and generalize the automation Enabler for all sorts of niceties: statistics, trend-prediction etc.

7 SURFnet-CERT#99999 Scan from xxx.xxx on port 2745/tcp (6 attempts) None T03:36: SURFnet-CERT (+31) GMT+0200 We would most appreciate if you could investigate, and deal with the offender as per your internal policies T08:01: xxx.xxx Logs (5 lines at the most) May 18 10:01:23 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :3703->xxx.xx.84.83:2745 May 18 10:50:26 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :1621->xxx.xx.84.39:2745 May 18 10:52:03 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :4408->xxx.xx :2745 May 18 11:00:42 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :4352->xxx.xx.85.15:2745 May 18 11:20:44 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :3727->xxx.xx.85.78:2745

8 Chronology 1999: IODEF 2001: RFC 3067, Requirements for IODEF 2002: Established IETF-INCH WG 2003: libIH (AirCERT), eCSIRT.net, AsiaPac activities 2004: RID, simplification drive and need for exchange protocol in INCH

9 Deficiencies Datamodel is large, and complex Ambiguous Need profiling for use Not all data is easily mapped in IODEF Does IODEF make daily life (handling incidents) easier? “Overengineered”

10 Outlook INCH continues TF-CSIRT will experiment with buildingblocks for an incident-data exchange network TF-CSIRT will closely follow INCH We need to (and will) revisit our assumptions and will make something work to make life easier Which might actually turn out to be IODEF :)