--> ]> Cisco Systems

pkampana@cisco.com

NICT

4-2-1, Nukui-Kitamachi Koganei Tokyo 184-8795 JP mio@nict.go.jp

MILE Working Group The Incident Object Description Exchange Format (IODEF) v2 (RFC7970) defines a data representation that provides a framework for sharing information about computer security incidents commonly exchanged by Computer Security Incident Response Teams (CSIRTs) . Since the IODEF model includes a wealth of available options that can be used to describe a security incident or issue, it can be challenging for security practitioners to develop tools that leverage IODEF for incident sharing. This document provides guidelines for IODEF implementers. It addresses how common security indicators can be represented in IODEF and use-cases of how IODEF is being used. This document aims to make IODEF's adoption by vendors easier and encourage faster and wider adoption of the model by CSIRTs around the world.

The Incident Object Description Exchange Format (IODEF) v2 defines a data representation that provides a framework for sharing computer security incident information commonly exchanged by Computer Security Incident Response Teams (CSIRTs). The IODEF data model consists of multiple classes and data types that are defined in the IODEF XML schema. The IODEF schema was designed to describe all the possible fields needed in a security incident exchange. Thus, IODEF contains a plethora of data constructs which could make it hard for IODEF implementers to decide which are important. Additionally, in the IODEF schema, there exist multiple fields and classes which do not necessarily need to be used in every possible data exchange. Moreover, some IODEF classes are useful only in rare circumstances. This document tries to address these concerns. It also presents how common security indicators can be represented in IODEF. It points out the most important IODEF classes for an implementer and describes other ones that are not as important. Also, it presents some common pitfalls for IODEF implementers and how to address them. The end goal of this document is to make IODEF's use by vendors easier and encourage wider adoption of the model by CSIRTs around the world. discusses the recommended classes and how an IODEF implementer should choose the classes to implement. presents common considerations a practitioner will come across and how to address them. goes over some common uses of IODEF.

The terminology used in this document follows the one defined in and .

It is important for IODEF implementers to distinguish how the IODEF classes will be used in incident information exchanges. It is also important to understand the most common IODEF classes that describe common security incidents or indicators. This section describes the most important classes and factors an IODEF practitioner should take into consideration before using IODEF or designing an implementation.

An IODEF document must include at least an Incident class, an xml:lang attribute that defines the supported language and the IODEF version attribute. An Incident must contain a purpose attribute and three mandatory-to-implement elements. These elements are Generation time class that describes the time of the incident, an IncidentID class and at least one Contact class. The structure of the minimal IODEF-Document is shown in .

--{1..*}--| ENUM purpose |<>----------| IncidentID | |ENUM xml:lang | | | +----------------+ | | | | | STRING name | +---------------+ | | +----------------+ | | | |<>----------[ GenerationTime ] | | | | +----------------+ | |<>--{1..*}--[ Contact | +--------------+ +----------------+ | ENUM role | | ENUM type | +----------------+ ]]>

The IncidentID class must contain at least a name attribute. In turn, the Contact class requires the type and role attributes, but no elements are required by the IODEF v2 specification. Nevertheless, at least one of the elements in the Contact class, such as an Email class, should be implemented so that the IODEF document is useful. Section 7.1 of presents a minimal IODEF document with only the mandatory classes and attributes. Implementers can also refer to Section 7 of and for example IODEF v2 documents.

There is no need for a practitioner to use or implement IODEF classes and fields other than the minimal ones () and the ones necessary for her use-cases. The implementer should carefully look into the schema and decide which classes to implement (or not). For example, if we have Distributed Denial of Service (DDoS) as a potential use-case, then the Flow class and its included information are the most important classes to use. The Flow class describes information related to the attacker and victim hosts, which information could help automated filtering or sink-hole operations. Another potential use-case is malware command and control (c2). After modern malware infects a device, it usually proceeds to connect to one or more c2 servers to receive instructions from its master and potentially exfiltrate information. To protect against such activity, it is important to interrupt the c2 communication by filtering the activity. IODEF can describe c2 activities using the Flow and the ServiceName classes. For use-cases where indicators need to be described, the IndicatorData class will be implemented instead of the EventData class. In summary, an implementer should identify her use-cases and find the classes that are necessary to support in IODEF v2. Implementing and parsing all IODEF classes can be cumbersome in some occasions and unnecessary. Other external schemata can also be used in IODEF to describe incidents or indicators. External schemata should be parsed accordingly only if the implementer's IODEF use-cases require external schema information. But even when an IODEF implementation cannot parse an external schema, the IODEF report can still be valuable to an incident response team. The information can also be useful when shared further with content consumers able to parse this information. IODEF supports multiple language translations of free-form, ML_STRING text in all classes . That way, text in Description elements can be translated to different languages by using a translation identifier in the class. Implementers should be able to parse iodef:MLStringType classes and extract only the information relevant to languages of interest.

contains classes that can describe attack Methods, Events, Incidents, Indicators, how they were discovered and the Assessment of the repercussions for the victim. It is important for IODEF users to know the distinction between these classes in order to decide which ones fulfill their use-cases. An IndicatorData class depicts a threat indicator or observable that could be used to describe a threat that resulted in an attempted attack. For example, we could see an attack happening but it might have been prevented and not have resulted in an incident or security event. On the other hand, an EventData class usually describes a security event and can be considered as a report of something that took place. Classes like Discovery, Assessment, Method, and RecoveryTime are used in conjunction with EventData as they related to the incident report described in the EventData. The RelatedActivity class can reference an incident, an indicator or other related threat activity. While deciding what classes are important for the needed use-cases, IODEF users should carefully evaluate the necessary classes and how these are used in order to avoid unnecessary work. For example, if we want to only describe indicators in IODEF, the implementation of Method or Assessment might not be important.

Implementers need to consider some common, standardized options for their IODEF use strategy.

The IODEF format includes the Reference class used for externally defined information such as a vulnerability, Intrusion Detection System (IDS) alert, malware sample, advisory, or attack technique. To facilitate the exchange of information, the Reference class was extended to the Enumeration Reference Format . The Enumeration Reference Format specifies a means to use external enumeration specifications (e.g. CVE) that could define an enumeration format, specific enumeration values, or both. As external enumerations can vary greatly, implementers should only support the ones expected to describe their specific use-cases.

The IODEF data model () is extensible. Many attributes with enumerated values can be extended using the "ext-*" prefix. Additional classes can also be defined by using the AdditionalData and RecordItem classes. An extension to the AdditionalData class for reporting Phishing emails is defined in . Information about extending IODEF class attributes and enumerated values can be found in Section 5 of . Additionally, IODEF can import existing schemata by using an extension framework defined in . The framework enables IODEF users to embed XML data inside an IODEF document using external schemata or structures defined by external specifications. Examples include CVE, CVRF and OVAL. enhances the IODEF capabilities without further extending the data model. IODEF implementers should not use their own IODEF extensions unless data cannot be represented using existing standards or importing them in an IODEF document using is not a suitable option.

An IODEF document can describe incident reports and indicators. The Indicator class can include references to other indicators, observables and more classes that contain details about the indicator. When describing security indicators, it is often common to need to group them together in order to form a group of indicators that constitute a security threat. For example, a botnet might have multiple command and control servers. For that reason, IODEF v2 introduced the IndicatorExpression class that is used to add the indicator predicate logic when grouping more than one indicators or observables. Implementations must be able to parse and apply the Boolean logic offered by an IndicatorExpression in order to evaluate the existence of an indicator. As explained in Section 3.29.5 of the IndicatorExpression element operator defines the operator applied to all the child element of the IndicatorExpression. If no operator is defined "and" should be assumed. IndicatorExpressions can also be nested together. Child IndicatorExpressions should be treated as child elements of their parent and they should be evaluated first before evaluated with the operator of their parent. Users can refer to for example uses of the IndicatorExpressions in an IODEF v2.

Access to information in IODEF documents should be tightly locked since the content may be confidential. IODEF has a common attribute, called "restriction", which indicates the disclosure guideline to which the sender expects the recipient to adhere to for the information represented in the class and its children. That way, the sender can express the level of disclosure for each component of an IODEF document. Appropriate external measures could be implemented based on the restriction level. One example is when Real-time Inter-network Defense (RID) is used to transfer the IODEF documents, it can provide policy guidelines for handling IODEF documents by using the RIDPolicy class. The enforcement of the disclosure guidelines is out of scope for IODEF. The recipient of the IODEF document needs to follow the guidelines, but these guidelines themselves do not provide any enforcement measures. For that purpose, implementers should consider appropriate privacy control measures, technical or operational for their implementation.

IODEF is currently used by various organizations in order to represent security incidents and share incident and threat information between security operations organizations.

In order to use IODEF, tools like IODEF parsers are necessary. describes a set of IODEF implementations and uses by various vendors and Computer Emergency Readiness Team (CERT) organizations. The document does not specify any specific mandatory to implement (MTI) IODEF classes but provides a list of real world uses. Perl and Python modules (XML::IODEF, Iodef::Pb, iodeflib) are some examples. Moreover, implementers are encouraged to refer to Section 7 of practical IODEF usage guidelines. , on the other hand, includes various vendor incident reporting products that can consume and export in IODEF format.

As an interoperability exercise, in 2013 a limited number of vendors organized and executed threat indicators exchanges in IODEF. The transport protocol used was RID. The threat information shared included indicators from DDoS attacks; and Malware incidents and Spear-Phishing that targets specific individuals after harvesting information about them. The results served as proof-of-concept (PoC) about how seemingly competing entities could use IODEF to exchange sanitized security information. As this was a PoC exercise only example information (no real threats) were shared as part of the exchanges.

-- carrying IODEF example -> --------- over TLS --------> <----- RID Ack message ----- <--- in case of failure ---- ]]>

shows how RID interactions took place during the PoC. Participating organizations were running RID Agent software on- premises. The RID Agents formed peering relationships with other participating organizations. When Entity X had a new incident to exchange it would package it in IODEF and send it to Entity Y over TLS in a RID Report message. In case there was an issue with the message, Entity Y would send an RID Acknowledgement message back to Entity X which included an application level message to describe the issue. Interoperability between RID agents implementing and was also confirmed. The first use-case included sharing of Malware Data Related to an Incident between CSIRTs. After Entity X detected an incident, she would put data about malware found during the incident in a backend system. Entity X then decided to share the incident information with Entity Y about the malware discovered. This could be a human decision or part of an automated process. Below are the steps followed for the malware information exchange that was taking place: Entity X has a sharing agreement with Entity Y, and has already been configured with the IP address of Entity Y’s RID Agent. Entity X’s RID Agent connects to Entity Y’s RID Agent, and mutual authentication occurs using PKI digital certificates. Entity X pushes out a RID Report message which contains information about N pieces of discovered malware. IODEF is used in RID to describe the Hash of malware files Registry settings changed by the malware C&C Information for the malware Entity Y receives RID Report message, sends RID Acknowledgement message Entity Y stores the data in a format that makes it possible for the back end to know which source the data came from. Another use-case was sharing a DDoS attack as explained in the following scenario: Entity X, a Critical Infrastructure and Key Resource (CIKR) company detects that their internet connection is saturated with an abnormal amount of traffic. Further investigation determines that this is an actual DDoS attack. Entity X's CSIT contacts their ISP, Entity Y, and shares information with them about the attack traffic characteristics. Entity X's ISP is being overwhelmed by the amount of traffic, so it shares attack signatures and IP addresses of the most prolific hosts with its adjacent ISPs. Below are the steps followed for a DDoS information exchange: Entity X has a sharing agreement with Entity Y, and has already been configured with the IP address of Entity Y’s RID Agent. Entity X’s RID Agent connects to Entity Y’s RID Agent, and mutual authentication occurs using PKI digital certificates. Entity X pushes out a RID Report message which contains information about the DDoS attack. IODEF is used in RID to describe the Start and Detect dates and times IP Addresses of nodes sending DDoS Traffic Sharing and Use Restrictions Traffic characteristics (protocols and ports) HTTP User-Agents used IP Addresses of C&C for a botnet Entity Y receives RID Report message, sends RID Acknowledgement message Entity Y stores the data in a format that makes it possible for the back end to know which source the data came from. Entity Y shares information with other ISP Entities it has an established relationship with. One more use-case was sharing spear-phishing email information as explained in the following scenario: The board members of several defense contractors receive a targeted email inviting them to attend a conference in San Francisco. The board members are asked to provide their personally identifiable information such as their home address, phone number, corporate email, etc in an attached document which came with the email. The board members are also asked to click on a URL which would allow them to reach the sign up page for the conference. One of the recipients believes the email to be a phishing attempt and forwards the email to their corporate CSIRT for analysis. The CSIRT identifies the email as an attempted spear phishing incident and distributes the indicators to their sharing partners. Below are the steps followed for a spear-phishing information exchange between CSIRTs that was part of this PoC. Entity X has a sharing agreement with Entity Y, and has already been configured with the IP address of Entity Y’s RID Agent. Entity X’s RID Agent connects to Entity Y’s RID Agent, and mutual authentication occurs using PKI digital certificates. Entity X pushes out a RID Report message which contains information about the spear-phishing email. IODEF is used in RID to describe the Attachment details (file Name, hash, size, malware family Target description (IP, domain, NSLookup) Email information (From, Subject, header information, date/time, digital signature) Confidence Score Entity Y receives RID Report message, sends RID Acknowledgement message Entity Y stores the data in a format that makes it possible for the back end to know which source the data came from. includes some of the incident IODEF example information that was exchanged by the organizations' RID Agents as part of this proof-of-concept.

Other use-cases of IODEF, other than the ones described above, could be: ISP notifying a national CERT or organization when it identifies and acts upon an incident and CERTs notifying ISPs when they are aware of incidents. Suspected phishing emails could be shared amongst organizations and national agencies. Automation could validate web content that the suspicious emails are pointing to. Identified malicious content linked in a phishing email could then be shared using IODEF. Phishing campaigns could thus be subverted much faster by automating information sharing using IODEF. When finding a certificate that should be revoked, a third-party would forward an automated IODEF message to the CA with the full context of the certificate and the CA could act accordingly after checking its validity. Alternatively, in the event of a compromise of the private key of a certificate, a third-party could alert the certificate owner about the compromise using IODEF.

This memo does not require any IANA actions.

This document does not incur any new security issues, since it only talks about the usage of IODEFv2 defined RFC7970. Nevertheless, readers of this document should refer to the Security Considerations section of .

In the following example the EventData class evaluates as a Flow of one System with source address being (192.0.2.104 OR 192.0.2.106) AND target address 198.51.100.1.

G90823490 C2 domains

192.0.2.104

192.0.2.106

198.51.100.1

]]>

Similarly, the FileData Class can be an observable in an IndicatorExpression. The hash values of two files can be used to match against an indicator using Boolean "or" logic. In the following example the indicator consists of either of the two files with two different hashes.

A4399IWQ File hash watchlist dummy.txt 141accec23e7e5157de60853cb1e01bc38042d 08f9086040815300b7fe75c184 dummy2.txt 141accec23e7e5157de60853cb1e01bc38042d 08f9086040815300b7fe75c184 ]]>

Below some of the incident IODEF example information that was exchanged by the vendors as part of this proof-of-concept Inter-vendor and Service Provider Exercise.

This example indicates malware and related URL for file delivery.

189801 2012-12-05T12:20:00+00:00 2012-12-05T12:20:00+00:00 Malware and related indicators Malware with C&C example.com CSIRT contact@csirt.example.com 192.0.2.200 /log-bin/lunch_install.php?aff_id=1&lunch_id=1&maddr=&action=install ]]>

The DDoS test exchanged information that described a DDoS including protocols and ports, bad IP addresses and HTTP User-Agent fields. The IODEF version used for the data representation was based on .

189701 2013-02-05T01:15:45+00:00 2013-02-05T00:34:45+00:00 2013-02-05T01:34:45+00:00 2013-02-05T01:15:45+00:00 DDoS Traffic Seen DDoS Traffic Dummy Test contact@dummytest.com Dummy Test sharing with ISP1 http://blog.spiderlabs.com/2011/01/loic-ddos- analysis-and-detection.html http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon Low Orbit Ion Cannon User Agent 192.0.2.104 1337 192.0.2.106 1337 198.51.100.0/24 1337 2001:db8:dead:beef::1 1337 203.0.113.1 80 Information provided in Flow class instance is from Inspection of traffic from network tap G83345941 User-Agent string user-agent="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"> ]]>

The Spear-Phishing test exchanged information that described a Spear-Phishing email including DNS records and addresses about the sender, malicious attached file information and email data. The IODEF version used for the data representation was based on .

189601 2013-01-04T08:06:12+00:00 2013-01-04T08:01:34+00:00 2013-01-04T08:31:27+00:00 2013-01-04T09:15:45+00:00 2013-01-04T09:15:45+00:00 Zeus Spear Phishing E-mail with Malware Attachment Malware with Command and Control Server and System Changes example.com CSIRT contact@csirt.example.com Targeting Defense Contractors, specifically board members attending Dummy Con Zeus http://www.zeusevil.example.com 192.0.2.166 65535 EXAMPLE-AS - University of Example" 192.0.2.0/24 mail1.evildave.example.com 198.51.100.6 65534 EXAMPLE-AS - University of Example evildave.example.com 2013-01-04T09:10:24+00:00 evildave.example.com MX prefernce = 10, mail exchanger = mail1.evildave.example.com mail1.evildave.example.com internet address = 198.51.100.6 zuesevil.example.com. IN TXT \"v=spf1 a mx -all\" Sending phishing mails emaildave@evildave.example.com Join us at Dummy Con StormRider 4.0 203.0.113.2 Dummy Con Sign Up Sheet.txt 152 141accec23e7e5157de60853cb1e01bc38042d 08f9086040815300b7fe75c184 FakeCA 57482937101 EvilDaveExample ]]>

In this test, malware information was exchanged using RID and IODEF. The information included file hashes, registry setting changes and the C&C servers the malware uses.

189234 2013-03-07T16:14:56.757+05:30 2013-03-07T16:14:56.757+05:30 Malware and related indicators identified Malware with Command and Control Server and System Changes example.com CSIRT contact@csirt.example.com http://www.threatexpert.example.com/report.aspx? md5=e2710ceb088dacdcb03678db250742b7 Zeus 203.0.113.200 http://zeus.556677889900.example.com/log-bin/ lunch_install.php?aff_id=1&amp; lunch_id=1&amp;maddr=&amp; action=install MHg2NzUxQTI1MzQ4M0E2N0Q4NkUwRjg0NzYwRjYxRjEwQkJDQzJFREZG MHgyRTg4ODA5ODBENjI0NDdFOTc5MEFGQTg5NTEzRjBBNA== HKLM\Software\Microsoft\Windows\ CurrentVersion\Run\tamg ?\?\?%System%\wins\mc.exe\?\?? HKLM\Software\Microsoft\ Windows\CurrentVersion\Run\dqo "\"\"%Windir%\Resources\ Themes\Luna\km.exe\?\?" http://www.threatexpert.example.com/report.aspx? md5=c3c528c939f9b176c883ae0ce5df0001 Cridex 203.0.113.100 8080 MHg3MjYzRkUwRDNBMDk1RDU5QzhFMEM4OTVBOUM1ODVFMzQzRTcxNDFD MHg0M0NEODUwRkNEQURFNDMzMEE1QkVBNkYxNkVFOTcxQw== HKLM\Software\Microsoft\Windows\ CurrentVersion\Run\KB00121600.exe \?\?%AppData%\KB00121600.exe\?\? ind-91011 evil c2 server, file hash, and registry key http://foo.example.com:12345/evil/cc.php 192.0.2.1 198.51.100.1 2001:db8:dead:beef::1 141accec23e7e5157de60853cb1e01bc38042d08f9086040815300b7fe75c184 HKLM\SYSTEM\CurrentControlSet\ Services\.Net CLR HKLM\SYSTEM\CurrentControlSet\ Services\.Net CLR\Parameters \"\"%AppData%\KB00121600.exe\"\" HKLM\SYSTEM\CurrentControlSet\Services\ .Net CLR\Parameters\ServiceDll C:\bad.exe HKLM\SYSTEM\CurrentControlSet\ Services\.Net CLR\Parameters\Bar Baz ]]>

The IoT Malware test exchanged information that described a bad IP address of IoT malware and its scanned ports. This example information is extracted from alert messages of a Darknet monitoring system referred in . The IODEF version used for the data representation was based on .

189802 2017-03-01T01:15:00+09:00 2017-03-01T01:15:00+09:00 IoT Malware and related indicators IoT Malware is scanning other hosts example.com CSIRT contact@csirt.example.com Detected by darknet monitoring 192.0.2.210 23 Example Surveillance Camera OS 2.1.1 198.51.100.1 23 198.51.100.94 23 198.51.100.237 2323 ]]>