1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
|
<pre>Internet Engineering Task Force (IETF) C. Inacio
Request for Comments: 8134 CMU
Category: Informational D. Miyamoto
ISSN: 2070-1721 UTokyo
May 2017
<span class="h1">Management Incident Lightweight Exchange (MILE) Implementation Report</span>
Abstract
This document is a collection of implementation reports from vendors,
consortiums, and researchers who have implemented one or more of the
standards published from the IETF INCident Handling (INCH) and
Management Incident Lightweight Exchange (MILE) working groups.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see <a href="./rfc7841#section-2">Section 2 of RFC 7841</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc8134">http://www.rfc-editor.org/info/rfc8134</a>.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Inacio & Miyamoto Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
2. Consortiums and Information Sharing and Analysis Centers
(ISACs) . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2.1">2.1</a>. Anti-Phishing Working Group . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2.2">2.2</a>. Advanced Cyber Defence Centre . . . . . . . . . . . . . . <a href="#page-4">4</a>
2.3. Research and Education Networking Information Sharing and
Analysis Center . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3">3</a>. Open Source Implementations . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3.1">3.1</a>. EMC/RSA RID Agent . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3.2">3.2</a>. NICT IODEF-SCI implementation . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-3.3">3.3</a>. n6 . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-4">4</a>. Vendor Implementations . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.1">4.1</a>. Deep Secure . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.2">4.2</a>. IncMan Suite, DFLabs . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-4.3">4.3</a>. Surevine Proof of Concept . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-4.4">4.4</a>. MANTIS Cyber-Intelligence Management Framework . . . . . <a href="#page-8">8</a>
<a href="#section-5">5</a>. Vendors with Planned Support . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-5.1">5.1</a>. Threat Central, HP . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-5.2">5.2</a>. DAEDALUS, NICT . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-6">6</a>. Other Implementations . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-6.1">6.1</a>. Collaborative Incident Management System . . . . . . . . <a href="#page-10">10</a>
<a href="#section-6.2">6.2</a>. Automated Incident Reporting - AirCERT . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-6.3">6.3</a>. US Department of Energy CyberFed . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-7">7</a>. Implementation Guide . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-7.1">7.1</a>. Code Generators . . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-7.2">7.2</a>. iodeflib . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-7.3">7.3</a>. iodefpm . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-7.4">7.4</a>. Usability . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-8">8</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-9">9</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-10">10</a>. Informative References . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
<span class="grey">Inacio & Miyamoto Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This document is a collection of information about security incident
reporting protocols and the implementation of systems that use them
to share such information. It is simply a collection of information,
and it makes no attempt to compare the various standards or
implementations. As such, it will be of interest to network
operators who wish to collect and share such data.
Operationally, operators would need to decide which incident data
collection group they want to be part of, and that choice will
strongly influence their choice of reporting protocol and
applications used to gather and distribute the data.
This document is a collection of implementation reports from vendors
and researchers who have implemented one or more of the standards
published from the INCH and MILE working groups. The standards
include:
o Incident Object Description Exchange Format (IODEF) v1 [<a href="./rfc5070" title=""The Incident Object Description Exchange Format"">RFC5070</a>]
o Incident Object Description Exchange Format (IODEF) v2 [<a href="./rfc7970" title=""The Incident Object Description Exchange Format Version 2"">RFC7970</a>]
o Extensions to the IODEF-Document Class for Reporting Phishing
[<a href="./rfc5901" title=""Extensions to the IODEF-Document Class for Reporting Phishing"">RFC5901</a>]
o Sharing Transaction Fraud Data [<a href="./rfc5941" title=""Sharing Transaction Fraud Data"">RFC5941</a>]
o Real-time Inter-network Defense (RID) [<a href="./rfc6545" title=""Real-time Inter-network Defense (RID)"">RFC6545</a>]
o Transport of Real-time Inter-network Defense (RID) Messages over
HTTP/TLS [<a href="./rfc6546" title=""Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS"">RFC6546</a>]
o Incident Object Description Exchange Format (IODEF) Extension for
Structured Cybersecurity Information (SCI) [<a href="./rfc7203" title=""An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information"">RFC7203</a>]
The implementation reports included in this document have been
provided by the team or product responsible for the implementations
of the mentioned RFCs. A more complete list of implementations,
including open source efforts and vendor products, can also be found
at the following location:
<<a href="http://siis.realmv6.org/implementations/">http://siis.realmv6.org/implementations/</a>>
<span class="grey">Inacio & Miyamoto Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Consortiums and Information Sharing and Analysis Centers (ISACs)</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Anti-Phishing Working Group</span>
The Anti-Phishing Working Group (APWG) is one of the biggest
coalitions against cybercrime, especially phishing. In order to
collect threat information in a structured format, APWG provides a
phishing and cybercrime reporting tool that sends threat information
to APWG by tailoring information with the IODEF format, based on <a href="./rfc5070">RFC</a>
<a href="./rfc5070">5070</a> [<a href="./rfc5070" title=""The Incident Object Description Exchange Format"">RFC5070</a>] and <a href="./rfc5901">RFC 5901</a> [<a href="./rfc5901" title=""Extensions to the IODEF-Document Class for Reporting Phishing"">RFC5901</a>].
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Advanced Cyber Defence Centre</span>
The Advanced Cyber Defence Centre (ACDC) is a Europe-wide activity to
fight against botnets. ACDC provides solutions to mitigate on-going
attacks and consolidates information provided by various stakeholders
into a pool of knowledge. Within ACDC, IODEF is one of the supported
schemas for exchanging the information.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Research and Education Networking Information Sharing and Analysis</span>
<span class="h3"> Center</span>
The Research and Education Networking Information Sharing and
Analysis Center (REN-ISAC) is a private community of researchers and
higher-education members that share threat information and employs
IODEF formatted-messages to exchange information.
REN-ISAC also recommends using an IODEF attachment provided with a
notification email for processing rather than relying on parsing of
the body text of email. The tools provided by REN-ISAC are designed
to handle such email.
<<a href="http://www.ren-isac.net/notifications/using_iodef.html">http://www.ren-isac.net/notifications/using_iodef.html</a>>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Open Source Implementations</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. EMC/RSA RID Agent</span>
The EMC/RSA RID agent is an open source implementation of the IETF
standards for the exchange of incident and indicator data. The code
has been released under an MIT license, and development will continue
with the open source community at the GitHub site for RSA
Intelligence Sharing:
<<a href="https://github.com/RSAIntelShare/RID-Server.git">https://github.com/RSAIntelShare/RID-Server.git</a>>
<span class="grey">Inacio & Miyamoto Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
The code implements the Real-time Inter-network Defense (RID)
described in <a href="./rfc6545">RFC 6545</a> [<a href="./rfc6545" title=""Real-time Inter-network Defense (RID)"">RFC6545</a>] and the Transport of RID over HTTP/
TLS protocol described in [<a href="./rfc6546" title=""Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS"">RFC6546</a>]. The code supports the evolving
Incident Object Description Exchange Format (IODEF) data model
[<a href="./rfc7970" title=""The Incident Object Description Exchange Format Version 2"">RFC7970</a>] from the work in the IETF Managed Incident Lightweight
Exchange (MILE) working group.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. NICT IODEF-SCI implementation</span>
Japan's National Institute of Information and Communications
Technology (NICT) Network Security Research Institute implemented
open source tools for exchanging, accumulating, and locating IODEF-
SCI [<a href="./rfc7203" title=""An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information"">RFC7203</a>] documents.
Three tools are available from GitHub. These tools assist the
exchange of IODEF-SCI documents between parties. IODEF-SCI [<a href="./rfc7203" title=""An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information"">RFC7203</a>]
extends IODEF so that an IODEF document can embed Structured
Cybersecurity Information (SCI). For instance, it can embed Malware
Metadata Exchange Format (MMDEF), Common Event Expression (CEE),
Malware Attribute Enumeration and Characterization (MAEC) in XML, and
Common Vulnerabilities and Exposures (CVE) identifiers.
The three tools are generator, exchanger, and parser. The generator
generates IODEF-SCI documents or appends XML to an existing IODEF
document. The exchanger sends the IODEF document to a specified
correspondent node. The parser receives, parses, and stores the
IODEF-SCI document. The parser also creates an interface that
enables users to locate IODEF-SCI documents that have previously been
received. The code has been released under an MIT license and
development will continue on GitHub.
Note that users can enjoy using this software at their own risk.
Available Online:
<<a href="https://github.com/TakeshiTakahashi/IODEF-SCI">https://github.com/TakeshiTakahashi/IODEF-SCI</a>>
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. n6</span>
n6 is a platform for processing security-related information; it was
developed by the Poland Research and Academic Computer Network (NASK)
Computer Emergency Response Team (CERT) Polska. The n6 API provides
a common and unified way of representing data across the different
sources that participate in knowledge management.
n6 exposes a REST-ful (Representational State Transfer) API over
HTTPS with mandatory authentication via Transport Layer Security
(TLS) client certificates to ensure confidential and trustworthy
<span class="grey">Inacio & Miyamoto Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
communications. Moreover, it uses an event-based data model for
representation of all types of security information.
Each event is represented as a JSON object with a set of mandatory
and optional attributes. n6 also supports alternative output data
formats for keeping compatibility with existing systems - IODEF and
CSV - although these formats lack some of the attributes that may be
present in the native JSON format.
Available Online:
<<a href="https://github.com/CERT-Polska/n6sdk">https://github.com/CERT-Polska/n6sdk</a>>
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Vendor Implementations</span>
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Deep Secure</span>
Deep-Secure Guards are built to protect a trusted domain from:
o releasing sensitive data that does not meet the organizational
security policy, and
o applications receiving badly constructed or malicious data that
could exploit a vulnerability (known or unknown).
Deep-Secure Guards support HTTPS and the Extensible Messaging and
Presence Protocol (XMPP -- optimized server-to-server protocol),
transports. The Deep-Secure Guards support transfer of XML-based
business content by creating a schema to translate the known good
content to and from the intermediate format. This means that the
Deep-Secure Guards can be used to protect:
o IODEF/RID using the HTTPS transport binding [<a href="./rfc6546" title=""Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS"">RFC6546</a>]
o IODEF/RID using an XMPP binding
o Resource-Oriented Lightweight Indicator Exchange (ROLIE) using
HTTPS transport binding [<a href="#ref-XEP-0268" title=""XEP-0268: Incident Handling"">XEP-0268</a>]
o Structured Threat Information Expression (STIX) / Trusted
Automated Exchange of Indicator Information (TAXII) using the
HTTPS transport binding
Deep-Secure Guards also support the SMTP transport and perform deep
content inspection of content including XML attachments. The Mail
Guard supports S/MIME, and Deep Secure is working on support for the
upcoming PLASMA standard, which enables an information-centric policy
enforcement of data use.
<span class="grey">Inacio & Miyamoto Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. IncMan Suite, DFLabs</span>
The Incident Object Description Exchange Format, documented in <a href="./rfc5070">RFC</a>
<a href="./rfc5070">5070</a> [<a href="./rfc5070" title=""The Incident Object Description Exchange Format"">RFC5070</a>], defines a data representation that provides a
framework for sharing information commonly exchanged by Computer
Security Incident Response Teams (CSIRTs) about computer security
incidents. IncMan Suite implements the IODEF standard for exchanging
details about incidents, either for exporting or importing
activities. This has been introduced to enhance the capabilities of
the various CSIRTs to facilitate collaboration and sharing of useful
experiences (sharing awareness on specific cases).
The IODEF implementation is specified as an XML schema; therefore all
data are stored in an XML file. In this file, all the data of an
incident are organized in a hierarchical structure to describe the
various objects and their relationships.
The IncMan Suite relies on IODEF as a transport format, which is
composed by various classes for describing the entities that are part
of the incident description. For instance, the various relevant
timestamps (detection time, start time, end time, and report time),
the techniques used by the intruders to perpetrate the incident, the
impact of the incident, technical and non-technical (time and
monetary), and obviously all systems involved in the incident.
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a>. Exporting Incidents</span>
Each incident defined in the IncMan Suite can be exported via a user
interface feature, and it will create an XML document. Due to the
nature of the data processed, the IODEF extraction might be
considered privacy sensitive by the parties exchanging the
information or by those described by it. For this reason, specific
care needs to be taken in ensuring the distribution to an appropriate
audience or third party, either during the document exchange or the
subsequent processing.
The XML document generated will include a description and details of
the incident along with all the systems involved and the related
information. At this stage, it can be distributed for import into a
remote system.
<span class="h4"><a class="selflink" id="section-4.2.2" href="#section-4.2.2">4.2.2</a>. Importing Incidents</span>
The IncMan Suite provides the functionality to import incidents
stored in files and transported via IODEF-compliant XML documents.
The importing process is comprised of two steps: first, the file is
inspected to validate if it is well formed; second, all data are
uploaded inside the system.
<span class="grey">Inacio & Miyamoto Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
If the incident already exists in the system with the same incident
ID, the new one being imported will be created under a new ID. This
approach prevents accidentally overwriting existing information or
merging inconsistent data.
The IncMan Suite also includes a feature to upload incidents from
emails.
The incident, described in XML format, can be stored directly into
the body of the email message or transported as an attachment of the
email. At regular intervals that are customizable by the user, the
IncMan Suite monitors for incoming emails, which are filtered by a
configurable white-list and black-list mechanism on the sender's
email account. Then, a parser processes the received email and a new
incident is created automatically after having validated the email
body or the attachment to ensure the format is well formed.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Surevine Proof of Concept</span>
XMPP is enhanced and extended through the XMPP Extension Protocols
(XEPs). XEP-0268 [<a href="#ref-XEP-0268" title=""XEP-0268: Incident Handling"">XEP-0268</a>] describes incident management (using
IODEF) of the XMPP network itself, effectively supporting self-
healing the XMPP network. In order to more generically cover the
incident management of a network over the same network, XEP-0268
requires some updates. We are working on these changes together with
a new XEP that supports "social networking" over XMPP, which enhances
the publish-and-subscribe XEP [<a href="#ref-XEP-0060" title=""XEP-0060: Publish-Subscribe"">XEP-0060</a>]. This now allows nodes to
publish and subscribe to any type of content and therefore receive
the content. XEP-0060 will be used to describe IODEF content. We
now have an alpha version of the server-side software and client-side
software required to demonstrate the "social networking" capability
and are currently enhancing this to support cyber incident management
in real time.
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. MANTIS Cyber-Intelligence Management Framework</span>
Model-based Analysis of Threat Intelligence Sources (MANTIS) provides
an example implementation of a framework for managing cyber threat
intelligence expressed in standards such as STIX, Cyber Observable
Expression (CybOX), IODEF, etc. The aims of providing such an
example implementation are as follows:
o To facilitate discussions about emerging standards such as STIX,
CybOX, et al., with respect to questions regarding tooling: how
would a certain aspect be implemented, and how do changes affect
an implementation? Such discussions become much easier and have a
better basis if they can be lead in the context of example tooling
that is known to the community.
<span class="grey">Inacio & Miyamoto Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
o To lower the barrier of entry for organizations and teams
(especially CSIRT/CERT teams) in using emerging standards for
cyber-threat-intelligence management and exchange.
o To provide a platform on the basis of which research and
community-driven development in the area of cyber-threat-
intelligence management can occur.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Vendors with Planned Support</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Threat Central, HP</span>
HP has developed HP Threat Central, a security intelligence platform
that enables automated, real-time collaboration between organizations
to combat today's increasingly sophisticated cyber attacks. One way
automated sharing of threat indicators is achieved is through close
integration with the HP ArcSight Security Information and Event
Management (SIEM) for automated upload and consumption of information
from the Threat Central Server. In addition, HP Threat Central
supports open standards for sharing threat information so that
participants who do not use HP Security Products can participate in
the sharing ecosystem. It is planned that future versions will also
support IODEF for the automated upload and download of threat
information.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. DAEDALUS, NICT</span>
DAEDALUS is a real-time alert system based on a large-scale darknet
monitoring facility that has been deployed as a part of the Network
Incident analysis Center for Tactical Emergency Response (nicter)
system of NICT, which is based in Japan. DAEDALUS consists of an
analysis center (i.e., nicter) and several cooperative organizations.
Each organization installs a darknet sensor and establishes a secure
channel between it and the analysis center, and it continuously
forwards darknet traffic toward the center. In addition, each
organization registers the IP address range of its livenet at the
center in advance. When these distributed darknet sensors observe
malware activities from the IP address of a cooperating organization,
then the analysis center sends an alert to the organization. The
future version of DAEDALUS will support IODEF for sending alert
messages to the users.
<span class="grey">Inacio & Miyamoto Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Other Implementations</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Collaborative Incident Management System</span>
A Collaborative Incident Management System (CIMS) is a proof-of-
concept system for collaborative incident handling and for the
sharing of information about cyber defense situational awareness
between the participants; it was developed for the Cyber Coalition
2013 (CC13) exercise organized by the North Atlantic Treaty
Organization (NATO). CIMS was implemented based on Request Tracker
(RT), an open source software widely used for handling incident
responses by many CERTs and CSIRTs.
One of the functionalities implemented in CIMS was the ability to
import and export IODEF messages in the body of emails. The intent
was to verify the suitability of IODEF to achieve the objective of
collaborative incident handling. The customized version of RT could
be configured to send an email message containing an IODEF message
whenever an incident ticket was created, modified, or deleted. These
IODEF messages would then be imported into other incident handling
systems in order to allow participating CSIRTs to use their usual
means for incident handling while still interacting with those using
the proof-of-concept CIMS. Having an IODEF message generated for
every change made to the incident information in RT (and for the
system to allow incoming IODEF email messages to be associated to an
existing incident) would in some way allow all participating CSIRTs
to actually work on a "common incident ticket", at least at the
conceptual level. Of particular importance was the ability for users
to exchange information between each other concerning actions taken
in the handling of a particular incident, thus creating a sort of
common action log as well as requesting/tasking others to provide
information or perform a specified action and correlating received
responses to the original request or task. As well, a specific
"profile" was developed to identify a subset of the IODEF classes
that would be used during the exercise in an attempt to channel all
users into a common usage pattern of the otherwise flexible IODEF
standard.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Automated Incident Reporting - AirCERT</span>
AirCERT was implemented by the CERT / Coordination Center (CC) of
Carnegie Mellon's Software Engineering Institute CERT division.
AirCERT was designed to be an Internet-scalable distributed system
for sharing security event data. The AirCERT system was designed to
be an automated collector of flow and Intrusion Detection System
(IDS) alerts. AirCERT would collect that information into a
relational database and be able to share reporting using IODEF and
the Intrusion Detection Message Exchange Format [<a href="./rfc4765" title=""The Intrusion Detection Message Exchange Format (IDMEF)"">RFC4765</a>]. AirCERT
<span class="grey">Inacio & Miyamoto Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
additionally used SNML [<a href="#ref-SNML" title=""AirCERT: The Definitive Guide"">SNML</a>] to exchange information about the
network. AirCERT was implemented in a combination of C and Perl
modules and included periodic graphing capabilities leveraging the
Round-Robin Database Tool (RRDTool).
AirCERT was intended for large-scale distributed deployment and,
eventually, the ability to sanitize data to be shared across
administrative domains. The architecture was designed to allow
collection of data on a per-site basis and to allow each site to
create data sharing based on its own particular trust relationships.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. US Department of Energy CyberFed</span>
The CyberFed system was implemented and deployed by Argonne National
Laboratory to automate the detection and response of attack activity
against Department of Energy (DoE) computer networks. CyberFed
automates the collection of network alerting activity from various
perimeter network defenses and logs those events into its database.
CyberFed then automatically converts that information into blocking
information transmitted to all participants. The original
implementation used IODEF messages wrapped in an XML extension to
manage a large array of indicators. The CyberFed system was not
designed to describe a particular incident as much as to describe a
set of current network-blocking indicators that can be generated and
deployed machine to machine.
CyberFed is primarily implemented in Perl. Included as part of the
CyberFed system are scripts that interact with a large number of
firewalls, IDS / Intrusion Prevention System (IPS) devices, DNS
systems, and proxies that operate to implement both the automated
collection of events as well as the automated deployment of black
listing.
Currently, CyberFed supports multiple exchange formats including
IODEF and STIX. Open Indicators of Compromise (OpenIOC) is also a
potential exchange format that the US DoE is considering.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Implementation Guide</span>
The section aims at sharing tips for development of IODEF-capable
systems.
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Code Generators</span>
For implementing IODEF-capable systems, it is feasible to employ code
generators for the XML Schema Definition (XSD). The generators are
used to save development costs since they automatically create useful
libraries for accessing XML attributes, composing messages, and/or
<span class="grey">Inacio & Miyamoto Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
validating XML objects. The IODEF XSD was defined in <a href="./rfc5070#section-8">Section 8 of
RFC 5070</a> [<a href="./rfc5070" title=""The Incident Object Description Exchange Format"">RFC5070</a>] and is available from the "ns" registry
<<a href="https://www.iana.org/assignments/xml-registry">https://www.iana.org/assignments/xml-registry</a>>.
However, some issues remain. Due to the complexity of the IODEF XSD,
some code generators could not generate code from the XSD file. The
tested code generators are as follows.
o XML::Pastor [XSD:Perl] (Perl)
o RXSD [XSD:Ruby] (Ruby)
o PyXB [XSD:Python] (Python)
o JAXB [XSD:Java] (Java)
o CodeSynthesis XSD [XSD:Cxx] (C++)
o Xsd.exe [XSD:CS] (C#)
For instance, we have tried to use XML::Pastor, but it could not
properly understand its schema due to the complexity of IODEF XSD.
The same applies to Ruby XSD (RXSD) and Java Architecture for XML
Binding (JAXB). Only Python XML Schema Bindings (PyXB),
CodeSynthesis XSD, and Xsd.exe were able to understand the complex
schema.
Unfortunately, there is no recommended workaround. A possible
workaround is a double conversion of the XSD file. This entails the
XSD being serialized into XML; afterwards, the resulting XML is
converted back into an XSD. The resultant XSD was successfully
processed by all the tools listed above.
It should be noted that IODEF uses '-' (hyphen) symbols in its
classes or attributes, which are listed as follows:
o IODEF-Document Class: It is the top-level class in the IODEF data
model described in <a href="./rfc5070#section-3.1">Section 3.1 of RFC 5070</a> [<a href="./rfc5070" title=""The Incident Object Description Exchange Format"">RFC5070</a>].
o The vlan-name and vlan-num Attributes: According to <a href="./rfc5070#section-3.16.2">Section 3.16.2
of RFC 5070</a> [<a href="./rfc5070" title=""The Incident Object Description Exchange Format"">RFC5070</a>], they are the name and number of Virtual LAN
and are the attributes for Address class.
o Extending the Enumerated Values of Attribute: According to
<a href="./rfc5070#section-5.1">Section 5.1 of RFC 5070</a> [<a href="./rfc5070" title=""The Incident Object Description Exchange Format"">RFC5070</a>], this is an extension technique
to add new enumerated values to an attribute, and it has a prefix
of "ext-", e.g., ext-value, ext-category, ext-type, and so on.
<span class="grey">Inacio & Miyamoto Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
According to the language specification, many programming languages
prohibit having '-' symbols in the name of class. The code
generators must replace or remove the '-' when building the
libraries. They should have the name space restore the '-' when
outputting the XML along with IODEF XSD.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. iodeflib</span>
iodeflib is an open source implementation written in Python. This
provides simple but powerful APIs to create, parse, and edit IODEF
documents. It was designed in order to keep its interface as simple
as possible, whereas generated libraries tend to inherit the
complexity of IODEF XSD. In addition, the iodeflib interface
includes functions to hide some unnecessarily nested structures of
the IODEF schema and add more convenient shortcuts.
This tool is available through the following link:
<<a href="http://www.decalage.info/python/iodeflib">http://www.decalage.info/python/iodeflib</a>>
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. iodefpm</span>
IODEF.pm is an open source implementation written in Perl. This also
provides a simple interface for creating and parsing IODEF documents
in order to facilitate the translation of the key-value-based format
to the IODEF representation. The module contains a generic XML DTD
parser and includes a simplified node-based representation of the
IODEF DTD. Hence, it can easily be upgraded or extended to support
new XML nodes or other DTDs.
This tool is available through the following link:
<<a href="http://search.cpan.org/~saxjazman/">http://search.cpan.org/~saxjazman/</a>>
<span class="h3"><a class="selflink" id="section-7.4" href="#section-7.4">7.4</a>. Usability</span>
Some tips to avoid problems are noted here:
o IODEF has a category attribute for the NodeRole class. Though
various categories are described, they are not sufficient. For
example, in the case of webmail servers, should the user choose
"www" or "mail"? One suggestion is to select "mail" as the
category attribute and add "www" for another attribute.
o The numbering of incident IDs needs to be considered. Otherwise,
information, such as the number of incidents within a certain
period, could be observed by document receivers. This is easily
mitigated by randomizing the assignment of incident IDs.
<span class="grey">Inacio & Miyamoto Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. IANA Considerations</span>
This memo does not require any IANA actions.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Security Considerations</span>
This document provides a summary of implementation reports from
researchers and vendors who have implemented RFCs and drafts from the
MILE and INCH working groups. There are no security considerations
added because of the nature of the document.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Informative References</span>
[<a id="ref-RFC4765">RFC4765</a>] Debar, H., Curry, D., and B. Feinstein, "The Intrusion
Detection Message Exchange Format (IDMEF)", <a href="./rfc4765">RFC 4765</a>,
DOI 10.17487/RFC4765, March 2007,
<<a href="http://www.rfc-editor.org/info/rfc4765">http://www.rfc-editor.org/info/rfc4765</a>>.
[<a id="ref-RFC5070">RFC5070</a>] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
Object Description Exchange Format", <a href="./rfc5070">RFC 5070</a>,
DOI 10.17487/RFC5070, December 2007,
<<a href="http://www.rfc-editor.org/info/rfc5070">http://www.rfc-editor.org/info/rfc5070</a>>.
[<a id="ref-RFC5901">RFC5901</a>] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", <a href="./rfc5901">RFC 5901</a>,
DOI 10.17487/RFC5901, July 2010,
<<a href="http://www.rfc-editor.org/info/rfc5901">http://www.rfc-editor.org/info/rfc5901</a>>.
[<a id="ref-RFC5941">RFC5941</a>] M'Raihi, D., Boeyen, S., Grandcolas, M., and S. Bajaj,
"Sharing Transaction Fraud Data", <a href="./rfc5941">RFC 5941</a>,
DOI 10.17487/RFC5941, August 2010,
<<a href="http://www.rfc-editor.org/info/rfc5941">http://www.rfc-editor.org/info/rfc5941</a>>.
[<a id="ref-RFC6545">RFC6545</a>] Moriarty, K., "Real-time Inter-network Defense (RID)",
<a href="./rfc6545">RFC 6545</a>, DOI 10.17487/RFC6545, April 2012,
<<a href="http://www.rfc-editor.org/info/rfc6545">http://www.rfc-editor.org/info/rfc6545</a>>.
[<a id="ref-RFC6546">RFC6546</a>] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", <a href="./rfc6546">RFC 6546</a>,
DOI 10.17487/RFC6546, April 2012,
<<a href="http://www.rfc-editor.org/info/rfc6546">http://www.rfc-editor.org/info/rfc6546</a>>.
[<a id="ref-RFC7203">RFC7203</a>] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
Incident Object Description Exchange Format (IODEF)
Extension for Structured Cybersecurity Information",
<a href="./rfc7203">RFC 7203</a>, DOI 10.17487/RFC7203, April 2014,
<<a href="http://www.rfc-editor.org/info/rfc7203">http://www.rfc-editor.org/info/rfc7203</a>>.
<span class="grey">Inacio & Miyamoto Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
[<a id="ref-RFC7970">RFC7970</a>] Danyliw, R., "The Incident Object Description Exchange
Format Version 2", <a href="./rfc7970">RFC 7970</a>, DOI 10.17487/RFC7970,
November 2016, <<a href="http://www.rfc-editor.org/info/rfc7970">http://www.rfc-editor.org/info/rfc7970</a>>.
[<a id="ref-SNML">SNML</a>] Trammell, B., Danyliw, R., Levy, S., and A. Kompanek,
"AirCERT: The Definitive Guide", 2005,
<<a href="http://aircert.sourceforge.net/docs/aircert_manual-06_2005.pdf">http://aircert.sourceforge.net/docs/</a>
<a href="http://aircert.sourceforge.net/docs/aircert_manual-06_2005.pdf">aircert_manual-06_2005.pdf</a>>.
[<a id="ref-XEP-0060">XEP-0060</a>] Millard, P., Saint-Andre, P., and R. Meijer, "XEP-0060:
Publish-Subscribe", December 2016,
<<a href="http://www.xmpp.org/extensions/xep-0060.html">http://www.xmpp.org/extensions/xep-0060.html</a>>.
[<a id="ref-XEP-0268">XEP-0268</a>] Hefczy, A., Jensen, F., Remond, M., Saint-Andre, P., and
M. Wild, "XEP-0268: Incident Handling", May 2012,
<<a href="http://xmpp.org/extensions/xep-0268.html">http://xmpp.org/extensions/xep-0268.html</a>>.
[XSD:CS] Microsoft, "XML Schema Definition Tool (Xsd.exe)",
<<a href="http://www.microsoft.com/">http://www.microsoft.com/</a>>.
[XSD:Cxx] CodeSynthesis, "XSD: XML Data Binding for C++",
<<a href="http://www.codesynthesis.com/">http://www.codesynthesis.com/</a>>.
[XSD:Java] Project Kenai, "Project JAXB", <<a href="https://jaxb.java.net/">https://jaxb.java.net/</a>>.
[XSD:Perl] Ulsoy, A., "XML-Pastor-1.0.4",
<<a href="http://search.cpan.org/~aulusoy/XML-Pastor-1.0.4/">http://search.cpan.org/~aulusoy/XML-Pastor-1.0.4/</a>>.
[XSD:Python]
Bigot, P., "PyXB 1.2.5: Python XML Schema Bindings",
<<a href="https://pypi.python.org/pypi/PyXB">https://pypi.python.org/pypi/PyXB</a>>.
[XSD:Ruby] Morsi, M., "XSD / Ruby Translator",
<<a href="https://github.com/movitto/RXSD">https://github.com/movitto/RXSD</a>>.
<span class="grey">Inacio & Miyamoto Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc8134">RFC 8134</a> MILE Implementation Report May 2017</span>
Acknowledgements
The MILE implementation report has been compiled through the
submissions of implementers of INCH and MILE working group standards.
A special note of thanks to the following contributors:
John Atherton, Surevine
Humphrey Browning, Deep-Secure
Dario Forte, DFLabs
Tomas Sander, HP
Ulrich Seldeslachts, ACDC
Takeshi Takahashi, National Institute of Information and
Communications Technology Network Security Research Institute
Kathleen Moriarty, EMC
Bernd Grobauer, Siemens
Dandurand Luc, NATO
Pawel Pawlinski, NASK
Authors' Addresses
Chris Inacio
Carnegie Mellon University
4500 5th Ave., SEI 4108
Pittsburgh, PA 15213
United States of America
Email: inacio@andrew.cmu.edu
Daisuke Miyamoto
The University of Tokyo
2-11-16 Yayoi, Bunkyo
Tokyo 113-8658
Japan
Email: daisu-mi@nc.u-tokyo.ac.jp
Inacio & Miyamoto Informational [Page 16]
</pre>
|
