IODEF Incident Data Exchange Format Rhodes, 8 June 2004 Jan Meijer
2 The Problem Security incidents DO occur and DO NOT magically disappear This requires...people
3 Many actors involved in handling incidents CSIRT capabilities Sysadmins Endusers Management, legal, police, propaganda
4 They all communicate What Where When How Who Why to fix a problem and get on with 'it'
5 Example report From Date: Tue, 2 May :27: (GMT) From: To: Subject: Report of abuse from x.x.x.196 (196pc223.xxxxxxxx.nl) Dear Sirs, We would wish to report abuse from one of your users. This user has attempted a hack technique upon our server. The attack occured at 5-Jun-04 00h57GMT, and was from IP x.x.x.196 (196pc223.xxxxxxxxx.nl) We would be grateful if you could investigate this user and take appropriate action. Please inform us of the result of your investigation. We appreciate your cooperation in reporting this incident to the proper authorities. Best regards,
6 The IODEF idea Exchange format Unambiguous Codify how to 'say' what, where, how, when, who Machine parseable Automate the load and generalize the automation Enabler for all sorts of niceties: statistics, trend-prediction etc.
7 SURFnet-CERT#99999 Scan from xxx.xxx on port 2745/tcp (6 attempts) None T03:36: SURFnet-CERT (+31) GMT+0200 We would most appreciate if you could investigate, and deal with the offender as per your internal policies T08:01: xxx.xxx Logs (5 lines at the most) May 18 10:01:23 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :3703->xxx.xx.84.83:2745 May 18 10:50:26 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :1621->xxx.xx.84.39:2745 May 18 10:52:03 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :4408->xxx.xx :2745 May 18 11:00:42 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :4352->xxx.xx.85.15:2745 May 18 11:20:44 6W:gate.xxx.xxxx.xx KERN: TCP Not-Estb: xxx.xxx :3727->xxx.xx.85.78:2745
8 Chronology 1999: IODEF 2001: RFC 3067, Requirements for IODEF 2002: Established IETF-INCH WG 2003: libIH (AirCERT), eCSIRT.net, AsiaPac activities 2004: RID, simplification drive and need for exchange protocol in INCH
9 Deficiencies Datamodel is large, and complex Ambiguous Need profiling for use Not all data is easily mapped in IODEF Does IODEF make daily life (handling incidents) easier? “Overengineered”
10 Outlook INCH continues TF-CSIRT will experiment with buildingblocks for an incident-data exchange network TF-CSIRT will closely follow INCH We need to (and will) revisit our assumptions and will make something work to make life easier Which might actually turn out to be IODEF :)