CYBEX - The Cybersecurity Information Exchange Framework 2.1 CYBEX - The Cybersecurity Information Exchange Framework Tony Rutkowski, tony@yaanatech.com Rapporteur, ITU-T Cybersecurity Rapporteur Group EVP, Yaana Technologies Senior Fellow, Georgia Tech, Sam Nunn School, Center for International Strategy, Technology, and Policy (CISTP)
What is the Cybersecurity Information Exchange Framework (CYBEX) ? A global initiative to identify a set of platform specifications to facilitate the trusted exchange of information among responsible parties worldwide supporting cybersecurity for Infrastructure protection Incident analysis and response Law enforcement and judicial forensics Enhance the availability, interoperability, and usefulness of these platforms Extensible use of best-of-breed open cyber security information exchange platforms Facilitated by the Cybersecurity Rapporteur Group of ITU-T (Q.4/17) ITU-T Recommendations during 2010-2011, with continuing evolution to current user community versions and needs
What is cybersecurity? = information exchange for analysis Contractual service agreements and federations Intergovernmental agreements and cooperation Encryption/ VPNs esp. for signalling 1. Measures for protection Tort & indemnification 4. Legal Remedies Legal remedies may also institute protective measures Real-time data availability Data retention and auditing Identity Management Network/ application state & integrity Resilient infrastructure Routing & resource constraints Regulatory/ administrative law Criminal law 2. Measures for threat detection Forensics & heuristics analysis Provide data for analysis Provide basis for actions Deny resources Investigation & measure initiation Reputation sanctions Blacklists & whitelists Patch development Vulnerability notices Provide awareness of vulnerabilities and remedies 3. Measures for thwarting and other remedies = information exchange for analysis = information exchange for actions
The CYBEX Initiative: basic model for information exchange CYBEX Focus Structure information Identify & discover cyber security information and organizations requesting & responding with cybersecurity information Trusted exchange of cyber security information Cybersecurity Information acquisition (out of scope) Cybersecurity Organization Cybersecurity Information use (out of scope) Cybersecurity Organization
Structured Information Vulnerability/State Exchange Cluster Event/Incident/Heuristics Exchange Cluster CWE Common Weakness Enumeration CCE Common Configuration Enumeration ARF Assessment Results Format CVE Common Vulnerabilities and Exposures CVSS Common Vulnerability Scoring System SCAP SP800-126 Security Content Automation Protocol CWSS Common Weakness Scoring System XCCDF eXtensible Configuration Checklist Description Format OVAL Open Vulnerability and Assessment Language CPE Common Platform Enumeration CEE Common Event Expression Specific Events X.gridf SmartGrid Incident Exchange Format MAEC Malware Attribution Enumeration and Characterization Black/Whitelist Exchange Format PFOC Phishing, Fraud, and Other Non-Network Layer Reports CAPEC Common Attack Pattern Enumeration and Classification IODEF RFC5070 Incident Object Description Exchange Format Exchange Terms and Conditions LEA/Evidence Exchange Cluster = imported = new = referenced TS102232 Handover Interface and Service-Specific Details (SSD) for IP delivery TS102657 Handover interface for the request and delivery of retained data RFC3924 Architecture for Lawful Intercept in IP Networks TS23.271 Handover for Location Services X.dexf Digital Evidence Exchange File Format ERDM Electronic Discovery Reference Model X.cybex-tc Cyber information terms and condition exchange format
Discovery and Trusted Exchange Discovery Cluster = imported = new = referenced X.cybex.1 An OID arc for cybersecurity information exchange X. cybex-disc OID-based discovery mechanisms in the exchange of cybersecurity information X. cybex.2 XML namespace in the Exchange of Cybersecurity Information X. chirp Cybersecurity Heuristics and Information Request Protocol Identity Trust Cluster Exchange Cluster X.cybex-beep BEEP Profile for Cybersecurity Information Exchange Framework X.cybex-tp Transport protocols supporting cybersecurity information exchange LEA/Evidence Exchange TS102232-1 Handover Interface and Service-Specific Details (SSD) for IP delivery X.evcert Extended Validation Certificate TS102042 V.2.0 Policy requirements for certification authorities issuing public key certificates X.eaa Entity authentication assurance
A Cybersecurity Namespace Trusted global cybersecurity information exchange requires identifiers for The parties and other objects involved in the exchanges The information exchanged The terms and conditions associated with the exchanged information A global cyber security namespace is part of CYBEX and described in draft Rec. ITU-T X.cybex.1 The OID namespace 2.48 has been reserved for this purpose by joint ISO|IEC JTC1 SC6 and ITU SG17 action OID namespaces Are hierarchical and enable autonomous distributed management Were developed for and have been used for these kinds of purposes for the past 30 years Can also be used to meet new ETSI TC LI Dynamic Triggering requirement for a global identifier for warrants and related needs
A Global Cybersecurity Namespace 4 ISO ITU-T|ITU-R 1 2 3 Joint ITU-T & ISO [jointly allocated by ITU-T SG17 and ISO|IEC JTC1 SC6] [Allocated by ITU-T SG17] [Allocated by ISO|IEC JTC1 SC6] 48 = cybersecurity . . . 48 Architecture TBD USA 840 4 Afghanistan 756 Suisse 250 . . . France Every country has a numeric identifier automatically reserved in the OID 2.48 cybersecurity namespace nnn FIRST . . . Non-country organizations can also be allocated identifiers 1 [each country , organization, subdivision allocates namespaces and levels as desired]
Use of the OID cybersecurity namespace: an example Ensures coherent ability to know who is involved, specific identification of the information, and expected treatment policies 2.48.1.756.3 [hypothetical Swiss agency] Cybersecurity Organization 2.48.1.250.2 [hypothetical French agency] Cybersecurity Organization Incident 2.48.1.756.3.1.[local identifier] Terms & conditions 2.48.1.756.3.2.[local identifier] Local agency and community identifiers can continue to be used The namespace identifiers need not be publicly exposed – only unique and consistent within the namespace
The cybersecurity problems are about to get much worse Cloud Services and SmartGrids create potential significant new cybersecurity threats with far reaching consequences Public services are being pushed into the marketplace with No regulation No standards Availability of massive network data center resources With little understanding of the cybersecurity dimensions, much less effective solutions No international agreements
Will history repeat itself? Similar kinds of cyber security challenges were faced a hundred years ago Fast-paced new network technology emerged Networks became global in scope Harmful incidents were rapidly scaling Governments did not intervene to avoid harm to innovation Sinking of the Titanic in 1912 finally motivated global action Every new network technology has faced similar challenges The 1980s OSI Internet had public infrastructure security solutions, but lacked innovation The 1990s TCP/IP academic Internet had no public infrastructure security solutions, but was great for innovation Criminals , hackers, terrorists, miscreants are also innovative and have many incentives CYBEX assembles open, extensible, technology-neutral capabilities essential for public network infrastructure/service cybersecurity in different forms over the past hundred years
It usually takes a major disaster SS Cyber Infrastructure How many cyber icebergs do you need before substantial global action occurs?