??ࡱ?>?? tw????uv?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????n??4???D?ꄔJl2#3???PNG  IHDR???tRNS???C?bKGD??#2 cmPPJCmp0712???`?4uIDATx^? c?*F۹??'?t??5??AaN?}m??H??Y????-?O?ʩ~~@ +??@? ????z??? ?`?P=?@c@?q?a?? ?8T?0?Xl??ݯ???"A=F????j6]?AӶ?n\???Q????+??a_???h???g??¾??????ǣ?F?5w??????u??????ư;_5 ??s??????^??L/iA???? i?Sث??f?}w?_??#ք?nY_??V?qV????mf???????eG???????8?n?1????&??? ?~??tĵ%)G??q3??|:?\?cA???]??"tyk7n??)??缠??H"?3׳? Sϼts?? ??&/4{1???X4L?T ???,???fͽ?~???u﫩+e?!?-?|?B?+V??n#x????@[?Q@ ???ɃN??? ?A0̋?a??????QƇ?c?I??9?Š????w???w??7ܿ??dp? ?????#?z?K???~???A???r>??ӑ縼??g???????%[??a?!?[.8?X??? ?&G???"?&?U?o׍??G!???LX????<.??????(?5?qiV\??? ?%??2[??????-?????5??ei?_???e????Wn?ʰ?`M?r?????ow?}??l?@?.l?C?3?????s?Nn??n~*2??_????A?O??I?%$߶XKI[k) )(??VP?!I?+?7? ??%1?o%?Ƹ??y N?| \??1y,&?UDG)2i?:L?d?Ƕ??????ޣ?+? {V?"B?Z?}?"=?????n?? ??^??s?sĉ?? ??Y????}?x?m?=??!??[?????Y̵(???eS@6z?!I?B?ﲺ]??nm?]?ڸ4&L??q?X?[?`}x?{??g???װ/?.3?X??Y??t*t+t1?a?Hc?m9?h{8w-??Ye?ܾX?hx?B??{????p?e?E???9v溯?O???4????`v'? .????n&g???!<݆|?$y\@?b4??VP ?ί???,?ތ?ތ8KZ2???Na?l?????E????N,?&Q??}???:???}A?r??t?(K?????`?z?UPD4T???^ZLk?O?.7b?~{?? ????????Z ?/ l?n?`??z?? ????????Z*???O??Ǫ+??S?~????A??^ZHG?y?7??a??`????g?#?, ??q#c?vyA3ߛ?J: ? ??????_?5?T??bD+?Ui??k?{??J2?$,?JA?R???V?b? ??T)?UR+ K?R@P?T'????ܮn?~[돇??L?????u?:?o?O!??6??????? ?8y??Mf???d?S?w? N?ֻa???í`?e???+?]\????/*neT????G0?? \?;|??x?u?]\?m?+v?4ot? ??[:?F?????ρ??J?????8? [M?W፼?L?La????ET?*??(?ynKL?/o??ơ ? ????m夘? ?㸶????/???VT??C??0?x?c^?*1B????oi?u?`Z?? qG???V )? =$?#.Q?? ????Q???G^@PAD?(QK?#?? ? "E?(?%?WAT?"J??ȫ?*?H% H??????O???F??X|????i?5쬕#Z??h?<f??L3?O\??WF?3?c?xb-????; /]??? ?X?u~%J?H_??S? ??G^?????m?????H???????є??[as?=?[?淂R<???$?:?E05??4??N???GY=Ne???DaXvw?©7?@??A?:????b,(?H?:?7>?y?6????<9???@0K??R???,??? ??(Ч?G?qD?9???vӍ]wo???s?0? ?.?U??Ƿ?? ?A??m"?}|??|ެ=p??7???`OG?)?|?>?{???|A+X?3???(??;?D?Tq%a)V?J?"]%@???+U?J??? XIX??*?R?HWI?$,?JA?R???V?b? ??T)?UR?ψ??]mqY ?Vł?)???1b?t?#Fݔ? h*#?#Fݔ? h*#?#Fݔ?̈?ܔ {?-??_g﹄????5?ƀ?9?־??b?U??Z??y??E ? ?S?????hv? ? ۛ??.???VO|????5??#?b??7_ x?7?pO ?? x[J?ؿ-?eLݔ? ???w?~???=??"@0!??!7??%N?`?(??̈e:?2U␛7??Pq?? cUL?څ$?L?q3>Zم??& tg??@?????????N?C0\???ޥk 펏V.?z/\D??????("8?U?>???????xvu?W??V:????? ?????P????un??U?^u?շiA?1?2?8 ?M????7_J?*??? ?U?M!?sb???U77>??~?>{|x?=.?gg?k?3?KW㜟ʾ]&?Y W???^h? ?{??\|??՘r{??d??ϙ={??s ?f4???w?????x?8L??/??????#?^? ?!EIy?Zh?t??v}??ۄ8Rr?uO?!?????\?C+?R?m*5????r??*P????R? ?Ȕ?I?>??`?.'š7??%?G4???<? 7??} G???9*??׷?a?M?????-w??'?? ????3?6qgJ'??k???PƐ H1??E?6???H%G??{?tD??i?m???yt?8ΰ?؛?#cK?: ?`])U???"a z]? ?A×*?gWb??`I? ?#6??M???o?{4??M???o?{?#???ٙ??̴?? x?`?p?X/?Q7?3? Ljƀ??Q7?3? Lj?NG???0???D?0d8?????,Y???^0??B?m?,&0?vW?V46??X???t?*RF? X Y5A )?@,?? ?????Q??GV @𦊿]?G???X-'g}l?Ϗ u5!?}? ?Vva????^?n y#? h!?5??<\Ӹ{??4?????k?[??V.???)vS??????Ǖ?c?w;?fr9?????c???W?E???i??˹N???s??a桇???+?_iӳ8J\[3?K 9 ??K?+Y~|lv(?F??F08?t/?.?R??? ?+k?\???f???fLWD???5?4?{?!vb???j?|Gl? ??.;??}?Lhr??n???X$????r{ul"?o????[t?ΓN\󾚲????~8????)?44??!Ap??Uj?\^?e?X/?]?y?[Jx??c?Y$7 ?m~????v?̍cGfq????L?8? ??y&?fa~*~??WR@??l??W) ???{??PQ??X??co????k?\Z?3?Rs??)??r??t??5#?? ?*'??W?kFU@PUN ???׌? ΈUmy???M??e O?"???2KI$?u???2?|f*q???|????{????A??v?v?????cع ?y?71?ڛ??n?????}?\&?-M?T?1??*Y?O˫)??vP???$?u????_~?W??f>???!s??r{???9?͏8???k?ӹ???? s??k???b?? ?ɶ1??xJ???d??!Cp ??Ʃ??ks ???????.L?#??AA9 R("x ???L?RM$?Ym?d?????~??~??ӿ)m? ??0???^??????<?oA???.?? ??ftr?UE???ܮ??x?Td???XT?(QJ'Q!?D:???v???OOc?xS?B??EG\?yA)?D,Q?? ????Q??t???#%U7?{?靻???l:R????7 ?5??q_?5q?z?UPD??@?D=?*(? "RD? X????a??ys???y??M5???????:?6?Z6?q?7?2?? G?1a甹??ˊ{$??(?:???t???k?n?'???ս??xt????>?]Vݾ?? n?Ӹ?ma?x?.x?AZGW1?/H??m?[?????>?qg?̭5?x?W|?AG\????q_??Ş???? [??|??͸ dl????͸ dl????͸ dl????͸ dl????͸ d??????Jdzk??? ??Z????2?H?5?}H??J:??ؿ? ? ;?;`??`?1??????=???'7??"??S >ɒ?X?w??????X?A?U?U&i UR1q?z?UPD??@?D=?*(? "RD? X?yA)?D??޺??l$?Po?av?۞?????`w?[n?J ??p?M??m??L???,??? ???ɞ`?bڲ??1&?X?' ?6???6??/naO?ɠ`պ???0Zjt?sL6J?6 ??ǡ????)>_![???.??F ???~۠????{??6??2hm??? ?D0??'?]?Ë???Y??g?@?vL?ڕ?>E7?p?B?~ kx?K?Q?B?? ??Ao???l?5`????a/?n?????K?(?z?K?#??R??? ~?? ??q=Ĭ?y??O?u??????gEk?G R??"?A?E????3n/?_?>]?>???갱??!N()?$ ??g/??+?4.oH9}?A|Be?u??0-?mS?]??a_????'6n??wb]6?]6eͮ?(#?g,s??m?v?r5????O?a㭦;Ă?1?t?ٌ???`?7?Y?l?3"???X)??T??~?17ۀ???e?G;޸??4?bn????????t?^u?+w` Vo?]???2???????\?y%|X?V???a-|\(????D?|?Y??C)z???H?>??O????m?? ?D??x?P@??5?m?W?_?? ^??1????w?e?=???|????g???eeDnU?O????[??o lN?y?4q˧?/????ǧq?|?????e??E_lڤw_????1?*??'?o??)?n??r???Z?2???6R???f?(B???? ?X/(?̦u?#?rl=K?]?H_Q??``(sR?h XQM??P@ A?a??N?ܘ|~2}??"???U?MR?ˈۋ?h!za7???'??_?I??p?"??Υ}?J? 9?OFa?8v/W??<#x:;׹w??gG??vx??b?????T̤????GZ%?????.>????^(?C@?à}7y??o????w @?M?6???w?~߄`?e????}??? ?/Dp^?\???|!???Y??ƕXW鍟????????wb?]??r??r???v??!??$??,Q?8?e?t> 8?Q?G??t?%?WA)棵? Ҫq?z??V=)?W?*D? ?A:?zhP?H?D?z ?`=m)Y??d"Q= ?#? ?\?a??t?\o)%ђ??u??u?3?t?I???|?}?????У?????L???ӵ=?Bڈ:)hO[??ë?8JÔUx?Lܔi?Ah?6Ճ 4V??A+?y?ܭ???[򜭛 ??K?I@0)??l???9???|?J?1??????G7?v_?٩?/?a??լɲ?7~TAp?\??{?e???г????c%?ܓ?O۪???;j#?jH???? >ط??A??3?Z??E?E? h?`??d}? ???v?v?????;1{?|S???TT? =j??*k??P?t? M5?A?h?6Ճ 4V??)?????ۛ#O?M?Z$?n?ԪW???TH[???K?#?? ? "E?(?%?WAT?"J??7?,S(??i??L?ܽ?~??eӑ2???YO??oݔ??L?/?H???)f???U3q_????M9???%ƂYH?????J h??Q ?7E??F??΍ ?&??s?m??oB?K_@?v?:ۡ??Og?{?w8????/?5?l???????ִۓ8?G???QR???qoMLj.{&Nj/ǎ??Idy/Ô????b)?¾$?#N?'?aON7?????ߔ?O^?&8X7 ??2\??GLŞ pJ?¿???#?I? ?v?S?r?a? ?????o?;U3N? ??u0̮???ƂeVS??/x?t???Xl??;ܩ???? ??]?,?????m???{ ????jt?v??>???E ??H&?S?iK?"?5-??T??]??ͣ⮇j?II?(?GZ?˖I?Hf.o?/=K?(ф??D=?*(? "RD? X?yA)?D?x???%*????t?A??? }?.u?a???A:⼰?KMT?????????Ў62?X?̩??.Q?wJ?W? ?ݔq_[??X? ??Z??ӓ?@?e?W???>?n?hҰU鵂;???0?ɿ?;???m2????/6c;???ܚ?۷?߳?????????>Ի??;96?x?*5? q?ۃ??]虿>???ѱ??R?L=w ??S_ZJ?ʲ??.?????s??X>, ????/?o7? /bZ???Kx ???????Z?I3?????x?ei,??I??Xh??lR??ǀ????w?|3h??)s{@N*??7??#v ?((E?U??w? ?? ?డ??8Z?İv?డ??8Z?İv?డ??8Z?İv?డ??8Z?İv?డ??8Z?İv?డ??8Z?İv?డ??8Z?İv??ݬ??gݐ?___PPT9? /? 0?z????-?42000. Yu.Demchenko. TERENA ?`Incident object Description and Exchange Format O? ?=?':???0Incident Object Description and Exchange Format ?$10/+???TF-CSIRT IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer ?,??"??                                    ?B5??Agenda?  ???IETF IDWG IDMEF Documents IODEF Documents Discussion of IODEF Requirements Draft IODEF Model How to proceed? Evidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt TF-CSIRT interest? ?j*C"8*C"8 ?8?$ ?G:??IDMEF Documents?&? ???Currently on the IETF IDWG std process IDMEF Requirements IDMEF Data Model IDMEF XML DTD IMDEF ANS.1 MIBII format Intrusion Alert Protocol IDMEF is for Intrusion Detection Systems Root element  Alert Short life history Data collected automatically ??'d)'d)  ?? ?H;??=Incident Taxonomy and Classification WG at TF-CSIRT - History?>> ? > ???Incident Taxonomy and Classification BoF and Seminar at 3rd CERT-COORD meeting in Vienna i-taxonomy@terena.nl mailing list IODEF BoF at 12th FIRST 30 attendees iodef@terena.nl established Talks to IETF GRIP and IDWG at IETF-48 Under discussion IODEF documents  to be finalised Discussion, contribution Implementations New or coordinated ??%W)'")% A )'"  )??d    4      \   = ?&??IODEF Documents? ??+Best Current Practice on Incident classification and reporting schemes. Version 1. Incident Object Description and Exchange Format Requirements Draft Version 02. Incident Object Data Model To be drafted Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted??I >NI >N ?>1??OIncident Object Description and Exchange Format Requirements - Draft Version 02? P?"?? ??01. Abstracts 2. Conventions used in this document 3. Introduction 3.1. Rationale 3.2. Incident Description Terms 4. General Requirements 5. Description Format 6. Communications Mechanisms Requirements 7. Message Contents 8. Incident Identifiers and Incident Identifiers Definition Process 9. Reference ?FC/?C / ? ? 1 ?4'??3.2. Incident Description Terms?   ?  ??7Incident Attack Damage Impact Attacker Target Victim ?88 ? 8 ?5(??4. General Requirements ?   ?  ??S? 4.1. The IODEF shall reference and use previously published RFCs where possible. ?(T R ?&=   ?6)??5. Description Format? ?  ?? ? 5.1. IODEF format shall support full internationalization and localization. ? 5.2. The format of IODEF must support filtering and/or aggregation of data. ? 5.3. IODEF must support the application of an access restriction policy attribute to every element. ? ? ?  ?7*??)6. Communications Mechanisms Requirements? *)  ? * ??v? 6.1. IODEF exchange will normally be initiated by humans using standard communication protocols, for example, e-mail, WWW/HTTP, LDAP. ? 7.2. The IODEF should support confidentiality of the message content during message exchange. The selected design should be capable of supporting a variety of encryption algorithms and must be adaptable to a wide variety of environments. ? 7.3. The IODEF should ensure the integrity of the message content. The selected design should be capable of supporting a variety of integrity mechanisms and must be adaptable to a wide variety of environments. ?7.4. Authenticity and non-repudiation ?wZv ?&u   ?8+??7. Message Contents?   ?  ??37.1. The root element of the IO description should contain a unique identification number, IO purpose and default permission level ?7.2. The content of IODEF description should contain the type of the attack if it is known. It is expected that this type will be drawn from a standardized list of events; a new type of event may use a temporary implementation-specific type if the event type has not yet been standardized. 7.3. The IODEF description must be structured such that any relevant advisories, such as those from CERT/CC, CVE, can be referenced. 7.4. IODEF may include a detailed description of attack that caused the current Incident. 7.5. The IODEF description must include or be able to reference additional detailed data related to this specific underlying event(s)/activity, often referred as evidence. ?4Z3 ? 4 ?9,??7. Message Contents - Continue? ?  ???7.6. The IODEF description MUST contain the description of the attacker and victim. 7.7. The IODEF description must support the representation of different types of device addresses, e.g., IP address (version 4 or 6) and Internet name. ???? ? ? ?:-??7. Message Contents - Continue? ?  ??%7.8. IODEF must include the Identity of the creator of the Incident Object (CSIRT or other authority). This may be the sender in an information exchange or the team currently handling the incident. 7.9. The IODEF description must contain an indication of the possible impact of this event on the target. 7.10. The IODEF must be able to state the degree of confidence which the originator has in the report information. 7.11. The IODEF description must provide information about the actions taken in the course of this incident by previous CSIRTs ?&% ?   ?;.??7. Message Contents - Continue? ?  ???7.12. The IODEF must support reporting of the time of all stages along Incident life-time. 7.13. Time shall be reported as the local time and time zone offset from UTC. (Note: See RFC 1902 for guidelines on reporting time.) 7.15. The format for reporting the date must be compliant with all current standards for Year 2000 rollover, and it must have sufficient capability to continue reporting date values past the year 2038. 7.16. Time granularity in IO time parameters shall not be specified by the IODEF.??? ? ? ?</??7. Message Contents - Continue? ?  ???7.17. The IODEF description must support an extension mechanism which may be used by implementers. This allows future implementation-specific or experimental data. 7.18. The semantics of the IODEF description must be well defined. ??? ? ? ?C6??Incident Object Data Model?? ?? ?=0??FIODEF std process  How to proceed??$? $ ??RBest Current Practice on Incident classification and reporting schemes. Version 1 Go to std/i-d? Incident Object Description and Exchange Format Requirements Draft Version 02 Ready to submit to IETF  GRIP or IDWG or new WG? Incident Object Data Model To be drafted  currently just chart Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted Evidence Collection and Archiving Format ??I >2%N*I > 2%N*??2??GEvidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt?,H"%?R"   ???2. Guiding Principles during Evidence Collection 2.1. Order or volatility 2.2. Things to avoid 3. The collection procedure 3.1. Transparency 3.2. Collection steps 4. The Archiving Procedure 4.1. Chain of Custody 4.2. The Archive 5. Tools you ll need ??1.)'1.)'? ? ?@3??;Evidence Collection and Archiving The collection procedure?,<"? < ??HCollection steps Where is the evidence? Establish what is likely to be relevant and admissable For each system obtain the relevant list of volatility Remove the external avenue for change Collect the evidence Document each step Consider cryptographically signing Keep not changing Evidence Have a forensic CD with necessary SW?&88?&T   ? ?A4??:Evidence Collection and Archiving The Archiving Procedure?,;"? ; ??8Chain of custody  what need to be documented Where, when and by whom was the evidence discovered Where, when and by whom was the evidence handled or examined Who had custody of the evidence, during what period. How was it stored When the evidence changed custody, when and how did the transfer occur (include shipping number, etc.) Access to evidence should extremely limited, and should be clearly documented.?&.o.o? ? ?D7??GEvidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt?,H"%?D#  ???Problems of current I-D No common format defined Needs some study of local legislation Privacy and re-enforcement How can we contribute Comment on I-D Propose Evidence description format New document? ???3?3   ? ? ?E8?? ?? ?F9?? ?? /?8? ? P?????T? `? ????????f??????`? ???3?????????????`? ???___?????????????>???" dd=??????????????" dd?=?????????????uA?4? d?O?" ?i ?n???" dd??????????   @@``P?P   4 O i`? p?@??@    ? ?)? ?( ? ??p ? ? ?H??????d???? ?'W??? ? ? ?Z?%O?a????a?????????? ??x8???? O ?T?? Click to edit Master title style?!? !?: ? ? ?T??'O?a????a????????? ??Sg??? O ???RClick to edit Master text styles Second Level Third Level Fourth Level Fifth Level?!    ? S?  ?  ?`?,3O?a????a??????????? ?? ????? O ?b???*? ???=44OOii?  ?   ?`??6O?a????a??????????? ?? `???  O ?b??*? ???=44OOii?& ?!  ?`?$HO?a????a??????????? ??!????? O ?~??Slide2_*?(  ???=44OOii?Z?F ?1?lY ?$ ??~???~ ?" ? ?N?????????2?????1?l$?~ ?# ? ?N?????????2?????1IlY??F ??? ?) ???c?8 ?% s ?B?C{DE?8F?@??????????????????@????????F??h??=?Zhz?zFz?\F3? @???????????????????0 ?& s ?B?C?DE?4F?<??????????????????@????? ????i??<?????<??#i?????@???????????????g?5?0 ?' s ?B-C?DE?4F?<??????????????????@????? ??o?????*l??,J??????Jz?o@???????????????Arn*? ?( ? ??BKCoDE?4F?<?????????? ??(%+(J27JQ+E%nEQ7@???????????????????H ? ? ?0??@??޽h??? ?? ??????????f?????? ?International?? ? ??0?% ?E?( ??4p? ~?p? ? ?^ ? ? ?6??????? ?@_??p ? ? ?H??????d???? ??_??? ? ? ?Z?|?O?a????a?????????? ???????? O ?T?? Click to edit Master title style?!? !?? ? ? ?Z??O?a????a?????????? ??HZjG ?? O ?W??#Click to edit Master subtitle style?$? $? ?  ?`?d?O?a????a??????????? ???????? O ?\??*????=44OOii? ?  ?`? P?a????a??????????? ???S ???  O ?^??*????=44OOii? ?  ?`? P?a????a??????????? ???????? P ?n??Slide 2_*?  ???=44OOii?H ? ? ?0??@??޽h??? ?? ??????????f??????????0 ????*?( ? ?? ? ? ?T?ē??jJ??jJ??????? ???? ,G??  ? ?h??*? ?? ? ??? ? ? ?T??m??jJ??jJ??????? ????l ?G?? ? ?j??*? ?? ? ???p ? ? ?0?????1? ????? ?? ??: ? ? ?T?L>?-? $????????-? $??????-?--&????&????--PM:--?? ZJ??wS??w?g?w? Z - ????@Times New RomanS??w?g?w? ? -? .12 ?kIncident Object Description  -!* . .%2 ??and Exchange Format  '$0.--O Gl-- ????@Times New RomanS??w?g?w? ` -? . 2 ijTF. . 2 i?-F . .2 i?CSIRT . .'2 ?IODEF Editorial Group     .????@Times New RomanS??w?g?w? ? -? .2 ??Jimmy . .2 ?? Arvidsson  . .2 ?l  . .2 ?yAndrew . .2 ??Cormack  . .2 ?Tk. .2 ?Yuri Demchenko <    . .2 ?demch  . . 2  @k. .2 &terena  . . 2 n.k. . 2 vnl. . 2 ?>l. . 2 F?Janc . .2 FMeijer  . . 2 Fkl.--??"Systemwbf?? ? -?&TNPP &????,?????????  @@``?? ~?v???pw*&3 Root Entry??????????d?O?????)????/??Pictures?????????4Current User????????????/SummaryInformation(????h? ???? !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg?ijklmnopqr????y?????????????????z{|}~?????????????????????????????????????????????s??x????????????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? How to proceed?HEvidence Collection and Archiving draft-ietf-grip-prot-evidence-01.txt<Evidence Collection and Archiving The collection procedure;Evidence Collection and Archiving The Archiving ProcedureHEvidence Collection and Archiving draft-ietf-grip-prot-evidence-01.txt  Fonts UsedDesign Template Slide TitlesDesign Template Slide Titles?_???????demchdemchuri Demc  ?)2 +,-/012 ?,b?$???D?ꄔJl2#3???4 S ?~??????????1???????????0? ??????n?@???????8???????g??4HdHdv? 0p?????????p?pp?0 ? <?4BdBd???? 0,??u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z????-?42000. Yu.Demchenko. TERENA ?`Incident object Description and Exchange Format O? ?=??:???0Incident Object Description and Exchange Format ?$10/+???TF-CSIRT IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer ?,??"?T#                           ?B5??Agenda?  ???IETF IDWG IDMEF Documents IODEF Documents Discussion of IODEF Requirements Draft IODEF Model How to proceed? Evidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt TF-CSIRT interest? ?j*C"8*C"8 ?:?$ ?G:??IDMEF Documents?&? ???Currently on the IETF IDWG std process IDMEF Requirements IDMEF Data Model IDMEF XML DTD IMDEF ANS.1 MIBII format Intrusion Alert Protocol IDMEF is for Intrusion Detection Systems Root element  Alert Short life history Data collected automatically ??'d)'d)  ?? ?H;??=Incident Taxonomy and Classification WG at TF-CSIRT - History?>> ? > ???Incident Taxonomy and Classification BoF and Seminar at 3rd CERT-COORD meeting in Vienna i-taxonomy@terena.nl mailing list IODEF BoF at 12th FIRST 30 attendees iodef@terena.nl established Talks to IETF GRIP and IDWG at IETF-48 Under discussion IODEF documents  to be finalised Discussion, contribution Implementations New or coordinated ??%W)'")% A )'"  )??$  C        \   = ?&??IODEF Documents? ??+Best Current Practice on Incident classification and reporting schemes. Version 1. Incident Object Description and Exchange Format Requirements Draft Version 02. Incident Object Data Model To be drafted Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted??I >NI >N ?>1??OIncident Object Description and Exchange Format Requirements - Draft Version 02? P?"?? ??01. Abstracts 2. Conventions used in this document 3. Introduction 3.1. Rationale 3.2. Incident Description Terms 4. General Requirements 5. Description Format 6. Communications Mechanisms Requirements 7. Message Contents 8. Incident Identifiers and Incident Identifiers Definition Process 9. Reference ?FC/?C / ? ? 1 ?4'??3.2. Incident Description Terms?   ?  ??7Incident Attack Damage Impact Attacker Target Victim ?88 ? 8 ?5(??4. General Requirements ?   ?  ??S? 4.1. The IODEF shall reference and use previously published RFCs where possible. ?(T R ?&>   ?6)??5. Description Format?PowerPoint Document(??????????????DocumentSummaryInformation8????????????????????????????????????DTimes New Roman??h?P?v? 0h?(? 0$?DSymbolew Roman??h?P?v? 0h?(? 0$ ?DMonotype Sorts??h?P?v? 0h?(? 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? v?n???ot*&3 !"#$%&'(?)2*+,-./01234?,b?$???D?ꄔJl2#3???4 S ?~??????????1???????????0? ??????n?@???????8???????g??43d3dv? 0\????????p?pp?0 ? <?4BdBd???? 0??u?ʚ;2N??ʚ;<?4!d!d??{? 0t?<?4dddd??{? 0t??F?>?___PPT9? /? 0?z????-?42000. Yu.Demchenko. TERENA ?`Incident object Description and Exchange Format O? ?=?':???0Incident Object Description and Exchange Format ?$10/+???TF-CSIRT IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer ?,??"??                                    ?B5??Agenda?  ???IETF IDWG IDMEF Documents IODEF Documents Discussion of IODEF Requirements Draft IODEF Model How to proceed? Evidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt TF-CSIRT interest? ?j*C"8*C"8 ?8?$ ?G:??IDMEF Documents?&? ???Currently on the IETF IDWG std process IDMEF Requirements IDMEF Data Model IDMEF XML DTD IMDEF ANS.1 MIBII format Intrusion Alert Protocol IDMEF is for Intrusion Detection Systems Root element  Alert Short life history Data collected automatically ??'d)'d)  ?? ?H;??=Incident Taxonomy and Classification WG at TF-CSIRT - History?>> ? > ???Incident Taxonomy and Classification BoF and Seminar at 3rd CERT-COORD meeting in Vienna i-taxonomy@terena.nl mailing list IODEF BoF at 12th FIRST 30 attendees iodef@terena.nl established Talks to IETF GRIP and IDWG at IETF-48 Under discussion IODEF documents  to be finalised Discussion, contribution Implementations New or coordinated ??%W)'")% A )'"  )??d    4      \   = ?&??IODEF Documents? ??+Best Current Practice on Incident classification and reporting schemes. Version 1. Incident Object Description and Exchange Format Requirements Draft Version 02. Incident Object Data Model To be drafted Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted??I >NI >N ?>1??OIncident Object Description and Exchange Format Requirements - Draft Version 02? P?"?? ??01. Abstracts 2. Conventions used in this document 3. Introduction 3.1. Rationale 3.2. Incident Description Terms 4. General Requirements 5. Description Format 6. Communications Mechanisms Requirements 7. Message Contents 8. Incident Identifiers and Incident Identifiers Definition Process 9. Reference ?FC/?C / ? ? 1 ?4'??3.2. Incident Description Terms?   ?  ??7Incident Attack Damage Impact Attacker Target Victim ?88 ? 8 ?5(??4. General Requirements ?   ?  ??S? 4.1. The IODEF shall reference and use previously published RFCs where possible. ?(T R ?&=   ?6)??5. Description Format? ?  ?? ? 5.1. IODEF format shall support full internationalization and localization. ? 5.2. The format of IODEF must support filtering and/or aggregation of data. ? 5.3. IODEF must support the application of an access restriction policy attribute to every element. ? ? ?  ?7*??)6. Communications Mechanisms Requirements? *)  ? * ??v? 6.1. IODEF exchange will normally be initiated by humans using standard communication protocols, for example, e-mail, WWW/HTTP, LDAP. ? 7.2. The IODEF should support confidentiality of the message content during message exchange. The selected design should be capable of supporting a variety of encryption algorithms and must be adaptable to a wide variety of environments. ? 7.3. The IODEF should ensure the integrity of the message content. The selected design should be capable of supporting a variety of integrity mechanisms and must be adaptable to a wide variety of environments. ?7.4. Authenticity and non-repudiation ?wZv ?&u   ?8+??7. Message Contents?   ?  ??37.1. The root element of the IO description should contain a unique identification number, IO purpose and default permission level ?7.2. The content of IODEF description should contain the type of the attack if it is known. It is expected that this type will be drawn from a standardized list of events; a new type of event may use a temporary implementation-specific type if the event type has not yet been standardized. 7.3. The IODEF description must be structured such that any relevant advisories, such as those from CERT/CC, CVE, can be referenced. 7.4. IODEF may include a detailed description of attack that caused the current Incident. 7.5. The IODEF description must include or be able to reference additional detailed data related to this specific underlying event(s)/activity, often referred as evidence. ?4Z3 ? 4 ?9,??7. Message Contents - Continue? ?  ???7.6. The IODEF description MUST contain the description of the attacker and victim. 7.7. The IODEF description must support the representation of different types of device addresses, e.g., IP address (version 4 or 6) and Internet name. ???? ? ? ?:-??7. Message Contents - Continue? ?  ??%7.8. IODEF must include the Identity of the creator of the Incident Object (CSIRT or other authority). This may be the sender in an information exchange or the team currently handling the incident. 7.9. The IODEF description must contain an indication of the possible impact of this event on the target. 7.10. The IODEF must be able to state the degree of confidence which the originator has in the report information. 7.11. The IODEF description must provide information about the actions taken in the course of this incident by previous CSIRTs ?&% ?   ?;.??7. Message Contents - Continue? ?  ???7.12. The IODEF must support reporting of the time of all stages along Incident life-time. 7.13. Time shall be reported as the local time and time zone offset from UTC. (Note: See RFC 1902 for guidelines on reporting time.) 7.15. The format for reporting the date must be compliant with all current standards for Year 2000 rollover, and it must have sufficient capability to continue reporting date values past the year 2038. 7.16. Time granularity in IO time parameters shall not be specified by the IODEF.??? ? ? ?</??7. Message Contents - Continue? ?  ???7.17. The IODEF description must support an extension mechanism which may be used by implementers. This allows future implementation-specific or experimental data. 7.18. The semantics of the IODEF description must be well defined. ??? ? ? ?C6??Incident Object Data Model?? ?? ?=0??FIODEF std process  How to proceed??$? $ ??RBest Current Practice on Incident classification and reporting schemes. Version 1 Go to std/i-d? Incident Object Description and Exchange Format Requirements Draft Version 02 Ready to submit to IETF  GRIP or IDWG or new WG? Incident Object Data Model To be drafted  currently just chart Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted Evidence Collection and Archiving Format ??I >2%N*I > 2%N*??2??GEvidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt?,H"%?R"   ???2. Guiding Principles during Evidence Collection 2.1. Order or volatility 2.2. Things to avoid 3. The collection procedure 3.1. Transparency 3.2. Collection steps 4. The Archiving Procedure 4.1. Chain of Custody 4.2. The Archive 5. Tools you ll need ??1.)'1.)'? ? ?@3??;Evidence Collection and Archiving The collection procedure?,<"? < ??HCollection steps Where is the evidence? Establish what is likely to be relevant and admissable For each system obtain the relevant list of volatility Remove the external avenue for change Collect the evidence Document each step Consider cryptographically signing Keep not changing Evidence Have a forensic CD with necessary SW?&88?&T   ? ?A4??:Evidence Collection and Archiving The Archiving Procedure?,;"? ; ??8Chain of custody  what need to be documented Where, when and by whom was the evidence discovered Where, when and by whom was the evidence handled or examined Who had custody of the evidence, during what period. How was it stored When the evidence changed custody, when and how did the transfer occur (include shipping number, etc.) Access to evidence should extremely limited, and should be clearly documented.?&.o.o? ? ?D7??GEvidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt?,H"%?D#  ???Problems of current I-D No common format defined Needs some study of local legislation Privacy and re-enforcement How can we contribute Comment on I-D Propose Evidence description format New document? ???3?3   ? ? ?E8?? ?? ?F9?? ?? /?8? ? P????r???0? ????H???D?(`??` ??/? 0????DTimes New Roman$D?|?d?v? 0|?(? 0 ?DSymbolew Roman$D?|?d?v? 0|?(? 0  ?DMonotype Sorts$D?|?d?v? 0|?(? 0??f???? ? .??@  @@``???  @?n???" dd@ ?  ?? ? 5.1. IODEF format shall support full internationalization and localization. ? 5.2. The format of IODEF must support filtering and/or aggregation of data. ? 5.3. IODEF must support the application of an access restriction policy attribute to every element. ? ? ?  ?7*??)6. Communications Mechanisms Requirements? *)  ? ????՜.??+,??0X?????? ? ?? ????  ??A4 Paper (210x297 mm)t???? Times New RomanSymbolMonotype SortsInternational1Incident Object Description and Exchange Format AgendaIDMEF Documents>Incident Taxonomy and Classification WG at TF-CSIRT - HistoryIODEF DocumentsPIncident Object Description and Exchange Format Requirements - Draft Version 02 3.2. Incident Description Terms4. General Requirements 5. Description Format*6. Communications Mechanisms Requirements7. Message Contents7. Message Contents - Continue7. Message Contents - Continue7. Message Contents - Continue7. Message Contents - Continue7. Message Contents - ContinueIncident Object Data Model$IODEF std process ?* ???? 6.1. IODEF exchange will normally be initiated by humans using standard communication protocols, for example, e-mail, WWW/HTTP, LDAP. ? ??? ? ? ?8+??7. Message Contents?   ?  ??37.1. The root element of the IO description should contain a unique identification number, IO purpose and default permission level ?7.2. The content of IODEF description should contain the type of the attack if it is known. It is expected that this type will be drawn from a standardized list of events; a new type of event may use a temporary implementation-specific type if the event type has not yet been standardized. 7.3. The IODEF description must be structured such that any relevant advisories, such as those from CERT/CC, CVE, can be referenced. 7.4. IODEF may include a detailed description of attack that caused the current Incident. 7.5. The IODEF description must include or be able to reference additional detailed data related to this specific underlying event(s)/activity, often referred as evidence. ?4Z3 ? 4 ?9,??7. Message Contents - Continue? ?  ???7.6. The IODEF description MUST contain the description of the attacker and victim. 7.7. The IODEF description must support the representation of different types of device addresses, e.g., IP address (version 4 or 6) and Internet name. ???? ? ? ?:-??7. Message Contents - Continue? ?  ??%7.8. IODEF must include the Identity of the creator of the Incident Object (CSIRT or other authority). This may be the sender in an information exchange or the team currently handling the incident. 7.9. The IODEF description must contain an indication of the possible impact of this event on the target. 7.10. The IODEF must be able to state the degree of confidence which the originator has in the report information. 7.11. The IODEF description must provide information about the actions taken in the course of this incident by previous CSIRTs ?&% ?  ?;.??7. Message Contents - Continue? ?  ???7.12. The IODEF must support reporting of the time of all stages along Incident life-time. 7.13. Time shall be reported as the local time and time zone offset from UTC. (Note: See RFC 1902 for guidelines on reporting time.) 7.14. The format for reporting the date must be compliant with all current standards for Year 2000 rollover, and it must have sufficient capability to continue reporting date values past the year 2038. 7.15. Time granularity in IO time parameters shall not be specified by the IODEF.??? ? ? ?I<??7. Message Contents - Continue? ?  ?? 7.16. The IODEF should support confidentiality of the message content. The selected design should be capable of supporting a variety of encryption algorithms and must be adaptable to a wide variety of environments. ? 7.17. The IODEF should ensure the integrity of the message content. The selected design should be capable of supporting a variety of integrity mechanisms and must be adaptable to a wide variety of environments. ?7.18. The IODEF should ensure the authenticity and non-repudiation of the message content.?   ?  ?</??7. Message Contents - Continue? ?  ???7.17. The IODEF description must support an extension mechanism which may be used by implementers. This allows future implementation-specific or experimental data. 7.18. The semantics of the IODEF description must be well defined. ??? ? ? ?C6??Incident Object Data Model?? ?? ?=0??FIODEF std process  How to proceed??$? $ ??RBest Current Practice on Incident classification and reporting schemes. Version 1 Go to std/i-d? Incident Object Description and Exchange Format Requirements Draft Version 02 Ready to submit to IETF  GRIP or IDWG or new WG? Incident Object Data Model To be drafted  currently just chart Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted Evidence Collection and Archiving Format ??I >2%N*I > 2%N*??2??GEvidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt?,H"%?H#  ???2. Guiding Principles during Evidence Collection 2.1. Order or volatility 2.2. Things to avoid 3. The collection procedure 3.1. Transparency 3.2. Collection steps 4. The Archiving Procedure 4.1. Chain of Custody 4.2. The Archive 5. Tools you ll need ??1.)'1.)'?? ?@3??;Evidence Collection and Archiving The collection procedure?,<"?< ??HCollection steps Where is the evidence? Establish what is likely to be relevant and admissable For each system obtain the relevant list of volatility Remove the external avenue for change Collect the evidence Document each step Consider cryptographically signing Keep not changing Evidence Have a forensic CD with necessary SW?&88?*T   ? ?A4??:Evidence Collection and Archiving The Archiving Procedure?,;"?; ??8Chain of custody  what need to be documented Where, when and by whom was the evidence discovered Where, when and by whom was the evidence handled or examined Who had custody of the evidence, during what period. How was it stored When the evidence changed custody, when and how did the transfer occur (include shipping number, etc.) Access to evidence should extremely limited, and should be clearly documented.?&.o.o?? ?D7??GEvidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt?,H"%?H#  ???Problems of current I-D No common format defined Needs some study of local legislation Privacy and re-enforcement How can we contribute Comment on I-D Propose Evidence description format New document? ???3?3   ?? ?E8?? ?? ?F9?? ?? /?8? ? P??????? ? ????p?0?( ? ?p?x ?p c ?$???????x8????  ? ? ??x ?p c ?$???????Sg??? ? ? ??H ?p ? ?0???@??޽h?? ?? ??????????f????????? ? ??0???0?( ? ???x ?? c ?$?8????x8????   ? ??x ?? c ?$?Ȥ???Sg???  ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???`???$?( ? ???r ?? S ??????x8????   ? ??r ?? S ???????Sg???  ? ??H ?? ? ?0???@??޽h?? ?? ??????????f??????r -?7?";?$I?&?<?  ??(Iv??D?(`??` ??/? 0????DTimes New Roman$D?|?d?v? 0|?(? 0 ?DSymbolew Roman$D?|?d?v? 0|?(? 0  ?DMonotype Sorts$D?|?d?v? 0|?(? 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ~?v???pw*&3   ?)2  ?,b?$???D?ꄔJl2#3???4 S ?~??????????1???????????0? ??????n?@???????8???????g??4HdHdv? 0p?????????p?pp?0 ? <?4BdBd???? 0,??u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z????-?42000. Yu.Demchenko. TERENA ?`Incident object Description and Exchange Format O? ?=??:???0Incident Object Description and Exchange Format ?$10/+???TF-CSIRT IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer ?,??"?T#                           ?B5??Agenda?  ???IETF IDWG IDMEF Documents IODEF Documents Discussion of IODEF Requirements Draft IODEF Model How to proceed? Evidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt TF-CSIRT interest? ?j*C"8*C"8 ?:?$ ?G:??IDMEF Documents?&? ???Currently on the IETF IDWG std process IDMEF Requirements IDMEF Data Model IDMEF XML DTD IMDEF ANS.1 MIBII format Intrusion Alert Protocol IDMEF is for Intrusion Detection Systems Root element  Alert Short life history Data collected automatically ??'d)'d)  ?? ?H;??=Incident Taxonomy and Classification WG at TF-CSIRT - History?>> ? > ???Incident Taxonomy and Classification BoF and Seminar at 3rd CERT-COORD meeting in Vienna i-taxonomy@terena.nl mailing list IODEF BoF at 12th FIRST 30 attendees iodef@terena.nl established Talks to IETF GRIP and IDWG at IETF-48 Under discussion IODEF documents  to be finalised Discussion, contribution Implementations New or coordinated ??%W)'")% A )'"  )??$  C        \   = ?&??IODEF Documents? ??+Best Current Practice on Incident classification and reporting schemes. Version 1. Incident Object Description and Exchange Format Requirements Draft Version 02. Incident Object Data Model To be drafted Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted??I >NI >N ?>1??OIncident Object Description and Exchange Format Requirements - Draft Version 02? P?"?? ??01. Abstracts 2. Conventions used in this document 3. Introduction 3.1. Rationale 3.2. Incident Description Terms 4. General Requirements 5. Description Format 6. Communications Mechanisms Requirements 7. Message Contents 8. Incident Identifiers and Incident Identifiers Definition Process 9. Reference ?FC/?C / ? ? 1 ?4'??3.2. Incident Description Terms?   ?  ??7Incident Attack Damage Impact Attacker Target Victim ?88 ? 8 ?5(??4. General Requirements ?   ?  ??S? 4.1. The IODEF shall reference and use previously published RFCs where possible. ?(T R ?&>   ?6)??5. Description Format? ?  ?? ? 5.1. IODEF format shall support full internationalization and localization. ? 5.2. The format of IODEF must support filtering and/or aggregation of data. ? 5.3. IODEF must support the application of an access restriction policy attribute to every element. ? ? ?  ?7*??)6. Communications Mechanisms Requirements? *)  ? * ???? 6.1. IODEF exchange will normally be initiated by humans using standard communication protocols, for example, e-mail, WWW/HTTP, LDAP. ? ??? ? ? ?8+??7. Message Contents?   ?  ??37.1. The root element of the IO description should contain a unique identification number, IO purpose and default permission level ?7.2. The content of IODEF description should contain the type of the attack if it is known. It is expected that this type will be drawn from a standardized list of events; a new type of event may use a temporary implementation-specific type if the event type has not yet been standardized. 7.3. The IODEF description must be structured such that any relevant advisories, such as those from CERT/CC, CVE, can be referenced. 7.4. IODEF may include a detailed description of attack that caused the current Incident. 7.5. The IODEF description must include or be able to reference additional detailed data related to this specific underlying event(s)/activity, often referred as evidence. ?4Z3 ? 4 ?9,??7. Message Contents - Continue? ?  ???7.6. The IODEF description MUST contain the description of the attacker and victim. 7.7. The IODEF description must support the representation of different types of device addresses, e.g., IP address (version 4 or 6) and Internet name. ???? ? ? ?:-??7. Message Contents - Continue? ?  ??%7.8. IODEF must include the Identity of the creator of the Incident Object (CSIRT or other authority). This may be the sender in an information exchange or the team currently handling the incident. 7.9. The IODEF description must contain an indication of the possible impact of this event on the target. 7.10. The IODEF must be able to state the degree of confidence which the originator has in the report information. 7.11. The IODEF description must provide information about the actions taken in the course of this incident by previous CSIRTs ?&% ?  ?;.??7. Message Contents - Continue? ?  ???7.12. The IODEF must support reporting of the time of all stages along Incident life-time. 7.13. Time shall be reported as the local time and time zone offset from UTC. (Note: See RFC 1902 for guidelines on reporting time.) 7.14. The format for reporting the date must be compliant with all current standards for Year 2000 rollover, and it must have sufficient capability to continue reporting date values past the year 2038. 7.15. Time granularity in IO time parameters shall not be specified by the IODEF.??? ? ? ?I<??7. Message Contents - Continue? ?  ?? 7.16. The IODEF should support confidentiality of the message content. The selected design should be capable of supporting a variety of encryption algorithms and must be adaptable to a wide variety of environments. ? 7.17. The IODEF should ensure the integrity of the message content. The selected design should be capable of supporting a variety of integrity mechanisms and must be adaptable to a wide variety of environments. ?7.18. The IODEF should ensure the authenticity and non-repudiation of the message content.?   ?  ?</??7. Message Contents - Continue? ?  ???7.17. The IODEF description must support an extension mechanism which may be used by implementers. This allows future implementation-specific or experimental data. 7.18. The semantics of the IODEF description must be well defined. ??? ? ? ?C6??Incident Object Data Model?? ?? ?=0??FIODEF std process  How to proceed??$? $ ??RBest Current Practice on Incident classification and reporting schemes. Version 1 Go to std/i-d? Incident Object Description and Exchange Format Requirements Draft Version 02 Ready to submit to IETF  GRIP or IDWG or new WG? Incident Object Data Model To be drafted  currently just chart Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted Evidence Collection and Archiving Format ??I >2%N*I > 2%N*??2??GEvidence Collection and Archiving draft-ietf-grip-prot-evidence-01.txt?,H"$?F$  ???2. Guiding Principles during Evidence Collection 2.1. Order or volatility 2.2. Things to avoid 3. The collection procedure 3.1. Transparency 3.2. Collection steps 4. The Archiving Procedure 4.1. Chain of Custody 4.2. The Archive 5. Tools you ll need ??1.)'1.)'? ? ?@3??;Evidence Collection and Archiving The collection procedure?,<"? < ??HCollection steps Where is the evidence? Establish what is likely to be relevant and admissable For each system obtain the relevant list of volatility Remove the external avenue for change Collect the evidence Document each step Consider cryptographically signing Keep not changing Evidence Have a forensic CD with necessary SW?&88?&T   ? ?A4??:Evidence Collection and Archiving The Archiving Procedure?,;"? ; ??8Chain of custody  what need to be documented Where, when and by whom was the evidence discovered Where, when and by whom was the evidence handled or examined Who had custody of the evidence, during what period. How was it stored When the evidence changed custody, when and how did the transfer occur (include shipping number, etc.) Access to evidence should extremely limited, and should be clearly documented.?&.o.o? ? ?D7??GEvidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt?,H"%?F#  ???Problems of current I-D No common format defined Needs some study of local legislation Privacy and re-enforcement How can we contribute Comment on I-D Propose Evidence description format New document? ???3?3   ? ? ?E8?? ?? ?F9?? ?? /?8? ? P??????? ? ??????0?( ? ???x ?? c ?$??B???x8????   ? ??x ?? c ?$?LC???Sg???  ? ??H ?? ? ?0???@??޽h?? ?? ??????????f??????r)??m?2? ?(?oIv??D?(`??` ??/? 0????DTimes New Roman$D?|?d?v? 0|?(? 0 ?DSymbolew Roman$D?|?d?v? 0|?(? 0  ?DMonotype Sorts$D?|?d?v? 0|?(? 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ~?v???pw*&3   ?)2  ?,b?$???D?ꄔJl2#3???4 S ?~??????????1???????????0? ??????n?@???????8???????g??4HdHdv? 0p?????????p?pp?0 ? <?4BdBd???? 0,??u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z????-?42000. Yu.Demchenko. TERENA ?`Incident object Description and Exchange Format O? ?=??:???0Incident Object Description and Exchange Format ?$10/+???TF-CSIRT IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer ?,??"?T#                           ?B5??Agenda?  ???IETF IDWG IDMEF Documents IODEF Documents Discussion of IODEF Requirements Draft IODEF Model How to proceed? Evidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt TF-CSIRT interest? ?j*C"8*C"8 ?:?$ ?G:??IDMEF Documents?&? ???Currently on the IETF IDWG std process IDMEF Requirements IDMEF Data Model IDMEF XML DTD IMDEF ANS.1 MIBII format Intrusion Alert Protocol IDMEF is for Intrusion Detection Systems Root element  Alert Short life history Data collected automatically ??'d)'d)  ?? ?H;??=Incident Taxonomy and Classification WG at TF-CSIRT - History?>> ? > ???Incident Taxonomy and Classification BoF and Seminar at 3rd CERT-COORD meeting in Vienna i-taxonomy@terena.nl mailing list IODEF BoF at 12th FIRST 30 attendees iodef@terena.nl established Talks to IETF GRIP and IDWG at IETF-48 Under discussion IODEF documents  to be finalised Discussion, contribution Implementations New or coordinated ??%W)'")% A )'"  )??$  C        \   = ?&??IODEF Documents? ??+Best Current Practice on Incident classification and reporting schemes. Version 1. Incident Object Description and Exchange Format Requirements Draft Version 02. Incident Object Data Model To be drafted Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted??I >NI >N ?>1??OIncident Object Description and Exchange Format Requirements - Draft Version 02? P?"?? ??01. Abstracts 2. Conventions used in this document 3. Introduction 3.1. Rationale 3.2. Incident Description Terms 4. General Requirements 5. Description Format 6. Communications Mechanisms Requirements 7. Message Contents 8. Incident Identifiers and Incident Identifiers Definition Process 9. Reference ?FC/?C / ? ? 1 ?4'??3.2. Incident Description Terms?   ?  ??7Incident Attack Damage Impact Attacker Target Victim ?88 ? 8 ?5(??4. General Requirements ?   ?  ??S? 4.1. The IODEF shall reference and use previously published RFCs where possible. ?(T R ?&>   ?6)??5. Description Format? ?  ?? ? 5.1. IODEF format shall support full internationalization and localization. ? 5.2. The format of IODEF must support filtering and/or aggregation of data. ? 5.3. IODEF must support the application of an access restriction policy attribute to every element. ? ? ?  ?7*??)6. Communications Mechanisms Requirements? *)  ? * ???? 6.1. IODEF exchange will normally be initiated by humans using standard communication protocols, for example, e-mail, WWW/HTTP, LDAP. ? ??? ? ? ?8+??7. Message Contents?   ?  ??37.1. The root element of the IO description should contain a unique identification number, IO purpose and default permission level ?7.2. The content of IODEF description should contain the type of the attack if it is known. It is expected that this type will be drawn from a standardized list of events; a new type of event may use a temporary implementation-specific type if the event type has not yet been standardized. 7.3. The IODEF description must be structured such that any relevant advisories, such as those from CERT/CC, CVE, can be referenced. 7.4. IODEF may include a detailed description of attack that caused the current Incident. 7.5. The IODEF description must include or be able to reference additional detailed data related to this specific underlying event(s)/activity, often referred as evidence. ?4Z3 ? 4 ?9,??7. Message Contents - Continue? ?  ???7.6. The IODEF description MUST contain the description of the attacker and victim. 7.7. The IODEF description must support the representation of different types of device addresses, e.g., IP address (version 4 or 6) and Internet name. ???? ? ? ?:-??7. Message Contents - Continue? ?  ??%7.8. IODEF must include the Identity of the creator of the Incident Object (CSIRT or other authority). This may be the sender in an information exchange or the team currently handling the incident. 7.9. The IODEF description must contain an indication of the possible impact of this event on the target. 7.10. The IODEF must be able to state the degree of confidence which the originator has in the report information. 7.11. The IODEF description must provide information about the actions taken in the course of this incident by previous CSIRTs ?&% ?  ?;.??7. Message Contents - Continue? ?  ???7.12. The IODEF must support reporting of the time of all stages along Incident life-time. 7.13. Time shall be reported as the local time and time zone offset from UTC. (Note: See RFC 1902 for guidelines on reporting time.) 7.14. The format for reporting the date must be compliant with all current standards for Year 2000 rollover, and it must have sufficient capability to continue reporting date values past the year 2038. 7.15. Time granularity in IO time parameters shall not be specified by the IODEF.??? ? ? ?I<??7. Message Contents - Continue? ?  ?? 7.16. The IODEF should support confidentiality of the message content. The selected design should be capable of supporting a variety of encryption algorithms and must be adaptable to a wide variety of environments. ? 7.17. The IODEF should ensure the integrity of the message content. The selected design should be capable of supporting a variety of integrity mechanisms and must be adaptable to a wide variety of environments. ?7.18. The IODEF should ensure the authenticity and non-repudiation of the message content.?   ?  ?</??7. Message Contents - Continue? ?  ???7.19. The IODEF description must support an extension mechanism which may be used by implementers. This allows      !"#$%&'()*+,-???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? future implementation-specific or experimental data. 7.20. The semantics of the IODEF description must be well defined. ??? ? ? ?C6??Incident Object Data Model?? ?? ?=0??FIODEF std process  How to proceed??$? $ ??RBest Current Practice on Incident classification and reporting schemes. Version 1 Go to std/i-d? Incident Object Description and Exchange Format Requirements Draft Version 02 Ready to submit to IETF  GRIP or IDWG or new WG? Incident Object Data Model To be drafted  currently just chart Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted Evidence Collection and Archiving Format ??I >2%N*I > 2%N*??2??GEvidence Collection and Archiving draft-ietf-grip-prot-evidence-01.txt?,H"$?F$  ???2. Guiding Principles during Evidence Collection 2.1. Order or volatility 2.2. Things to avoid 3. The collection procedure 3.1. Transparency 3.2. Collection steps 4. The Archiving Procedure 4.1. Chain of Custody 4.2. The Archive 5. Tools you ll need ??1.)'1.)'? ? ?@3??;Evidence Collection and Archiving The collection procedure?,<"? < ??HCollection steps Where is the evidence? Establish what is likely to be relevant and admissable For each system obtain the relevant list of volatility Remove the external avenue for change Collect the evidence Document each step Consider cryptographically signing Keep not changing Evidence Have a forensic CD with necessary SW?&88?&T   ? ?A4??:Evidence Collection and Archiving The Archiving Procedure?,;"? ; ??8Chain of custody  what need to be documented Where, when and by whom was the evidence discovered Where, when and by whom was the evidence handled or examined Who had custody of the evidence, during what period. How was it stored When the evidence changed custody, when and how did the transfer occur (include shipping number, etc.) Access to evidence should extremely limited, and should be clearly documented.?&.o.o? ? ?D7??GEvidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt?,H"%?F#  ???Problems of current I-D No common format defined Needs some study of local legislation Privacy and re-enforcement How can we contribute Comment on I-D Propose Evidence description format New document? ???3?3   ? ? ?E8?? ?? ?F9?? ?? /?8? ? P??????? ? ??@???0?( ? ???x ?? c ?$?(????x8????   ? ??x ?? c ?$?????Sg???  ? ??H ?? ? ?0???@??޽h?? ?? ??????????f??????r?o<???<? ?o??Iv??C?(`??` ??/? 0????DTimes New Roman$D?|?d?v? 0|?(? 0 ?DSymbolew Roman$D?|?d?v? 0|?(? 0  ?DMonotype Sorts$D?|?d?v? 0|?(? 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ~?v???pq*&3   ?)2  ?,b?$???D?ꄔJl2#3???4 S ?~??????????1???????????0? ??????n?@???????8???????g??4HdHdv? 0p?????????p?pp?0 ? <?4BdBd???? 0,???u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z????-?42000. Yu.Demchenko. TERENA ?`Incident object Description and Exchange Format O? ?=??9???0Incident Object Description and Exchange Format ?$10/+???TF-CSIRT IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer ?,??"?T#                           ?B5??Agenda?  ???IETF IDWG IDMEF Documents IODEF Documents Discussion of IODEF Requirements Draft IODEF Model How to proceed? Evidence Collection and Archiving Draft-ietf-grip-prot-evidence-01.txt TF-CSIRT interest? ?j*C"8*C"8 ?:?$ ?G:??IDMEF Documents?&? ???Currently on the IETF IDWG std process IDMEF Requirements IDMEF Data Model IDMEF XML DTD IMDEF ANS.1 MIBII format Intrusion Alert Protocol IDMEF is for Intrusion Detection Systems Root element  Alert Short life history Data collected automatically ??'d)'d)  ?? ?H;??=Incident Taxonomy and Classification WG at TF-CSIRT - History?>> ? > ???Incident Taxonomy and Classification BoF and Seminar at 3rd CERT-COORD meeting in Vienna i-taxonomy@terena.nl mailing list IODEF BoF at 12th FIRST 30 attendees iodef@terena.nl established Talks to IETF GRIP and IDWG at IETF-48 Under discussion IODEF documents  to be finalised Discussion, contribution Implementations New or coordinated ??%W)'")% A )'"  )??$  C        \   = ?&??IODEF Documents? ??+Best Current Practice on Incident classification and reporting schemes. Version 1. Incident Object Description and Exchange Format Requirements Draft Version 02. Incident Object Data Model To be drafted Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted??I >NI >N ?>1??OIncident Object Description and Exchange Format Requirements - Draft Version 02? P?"?? ??01. Abstracts 2. Conventions used in this document 3. Introduction 3.1. Rationale 3.2. Incident Description Terms 4. General Requirements 5. Description Format 6. Communications Mechanisms Requirements 7. Message Contents 8. Incident Identifiers and Incident Identifiers Definition Process 9. Reference ?FC/?C / ? ? 1 ?4'??3.2. Incident Description Terms?   ?  ??7Incident Attack Damage Impact Attacker Target Victim ?88 ? 8 ?5(??4. General Requirements ?   ?  ??S? 4.1. The IODEF shall reference and use previously published RFCs where possible. ?(T R ?&>   ?6)??5. Description Format? ?  ?? ? 5.1. IODEF format shall support full internationalization and localization. ? 5.2. The format of IODEF must support filtering and/or aggregation of data. ? 5.3. IODEF must support the application of an access restriction policy attribute to every element. ? ? ?  ?7*??)6. Communications Mechanisms Requirements? *)  ? * ???? 6.1. IODEF exchange will normally be initiated by humans using standard communication protocols, for example, e-mail, WWW/HTTP, LDAP. ? ??? ? ? ?8+??7. Message Contents?   ?  ??37.1. The root element of the IO description should contain a unique identification number, IO purpose and default permission level ?7.2. The content of IODEF description should contain the type of the attack if it is known. It is expected that this type will be drawn from a standardized list of events; a new type of event may use a temporary implementation-specific type if the event type has not yet been standardized. 7.3. The IODEF description must be structured such that any relevant advisories, such as those from CERT/CC, CVE, can be referenced. 7.4. IODEF may include a detailed description of attack that caused the current Incident. 7.5. The IODEF description must include or be able to reference additional detailed data related to this specific underlying event(s)/activity, often referred as evidence. ?4Z3 ? 4 ?9,??7. Message Contents - Continue? ?  ???7.6. The IODEF description MUST contain the description of the attacker and victim. 7.7. The IODEF description must support the representation of different types of device addresses, e.g., IP address (version 4 or 6) and Internet name. ???? ? ? ?:-??7. Message Contents - Continue? ?  ??%7.8. IODEF must include the Identity of the creator of the Incident Object (CSIRT or other authority). This may be the sender in an information exchange or the team currently handling the incident. 7.9. The IODEF description must contain an indication of the possible impact of this event on the target. 7.10. The IODEF must be able to state the degree of confidence which the originator has in the report information. 7.11. The IODEF description must provide information about the actions taken in the course of this incident by previous CSIRTs ?&% ?  ?;.??7. Message Contents - Continue? ?  ???7.12. The IODEF must support reporting of the time of all stages along Incident life-time. 7.13. Time shall be reported as the local time and time zone offset from UTC. (Note: See RFC 1902 for guidelines on reporting time.) 7.14. The format for reporting the date must be compliant with all current standards for Year 2000 rollover, and it must have sufficient capability to continue reporting date values past the year 2038. 7.15. Time granularity in IO time parameters shall not be specified by the IODEF.??? ? ? ?I<??7. Message Contents - Continue? ?  ?? 7.16. The IODEF should support confidentiality of the message content. The selected design should be capable of supporting a variety of encryption algorithms and must be adaptable to a wide variety of environments. ? 7.17. The IODEF should ensure the integrity of the message content. The selected design should be capable of supporting a variety of integrity mechanisms and must be adaptable to a wide variety of environments. ?7.18. The IODEF should ensure the authenticity and non-repudiation of the message content.?   ?  ?</??7. Message Contents - Continue? ?  ???7.19. The IODEF description must support an extension mechanism which may be used by implementers. This allows future implementation-specific or experimental data. 7.20. The semantics of the IODEF description must be well defined. ??? ? ? ?C6??Incident Object Data Model?? ?? ?=0??FIODEF std process  How to proceed??$? $ ??RBest Current Practice on Incident classification and reporting schemes. Version 1 Go to std/i-d? Incident Object Description and Exchange Format Requirements Draft Version 02 Ready to submit to IETF  GRIP or IDWG or new WG? Incident Object Data Model To be drafted  currently just chart Incident Object Elements Description and XML Data Type Description (XML DTD) To be drafted Evidence Collection and Archiving Format ??I >2%N*I > 2%N*??2??GEvidence Collection and Archiving draft-ietf-grip-prot-evidence-01.txt?,H"$?F$  ???2. Guiding Principles during Evidence Collection 2.1. Order or volatility 2.2. Things to avoid 3. The collection procedure 3.1. Transparency 3.2. Collection steps 4. The Archiving Procedure 4.1. Chain of Custody 4.2. The Archive 5. Tools you ll need ??1.)'1.)'? ? ?@3??;Evidence Collection and Archiving The collection procedure?,<"? < ??HCollection steps Where is the evidence? Establish what is likely to be relevant and admissable For each system obtain the relevant list of volatility Remove the external avenue for change Collect the evidence Document each step Consider cryptographically signing Keep not changing Evidence Have a forensic CD with necessary SW?&88?&T   ? ?A4??:Evidence Collection and Archiving The Archiving Procedure?,;"? ; ??8Chain of custody  what need to be documented Where, when and by whom was the evidence discovered Where, when and by whom was the evidence handled or examined Who had custody of the evidence, during what period. How was it stored When the evidence changed custody, when and how did the transfer occur (include shipping number, etc.) Access to evidence should extremely limited, and should be clearly documented.?&.o.o? ? ?D7??GEvidence Collection and Archiving draft-ietf-grip-prot-evidence-01.txt?,H"%?F#  ???Problems of current I-D No common format defined Needs some study of local legislation Privacy and re-enforcement How can we contribute Comment on I-D Propose Evidence description format New document? ???3?3   ? ? /?8? ? P??????? ? ???????$?( ? ???r ?? S ??x????x8????   ? ??r ?? S ???r???Sg???  ? ??H ?? ? ?0???@??޽h?? ?? ??????????f??????rٶD???? ????Iv