INCH Requirements IETF Interim meeting, Uppsala, Feb.2003
Review of RFC3067 IDWG requirements CERT Processes Based on
Standard Format CSIRT Incident Report Database Operational Model Other CSIRTs
CSIRT Incident Report Database Operational Model-2 Alerts, Reports Statistics Other CSIRTs
Enable categorization and statistical analysis Ensure integrity, authenticity and privacy Intent of the IR Data Model Enable controlled exchange and sharing
Requirements: General Format Communication Contents Process
IR Format Requirements: Support Internationalization Localization Have a standard structure Record time development Support unambiguous and reducible time references Support Access control (who will have to access what ) for different components, users Have Globally unique identification (for IR ) Be Extensible Well defined semantics for the components MUST:
IR Communication Requirements: Must have no effect on integrity, authenticity
IR Content Requirements: Globally unique identifier (LDAP-type name) Objective wherever possible: Classification scheme (enumerated) Units of quantities Originator, Owner, Contacts, History, Reference to advisories Description of the incident
IR Content Requirements: Additional references/pointers Impact Actions taken Indication of “original” vs “translated copies” (Guidelines for uniform description) Authenticity, Integrity verification info Multiple versions (in different languages)
ISSUES (1) We need a name: IRF: Incident Report Format IREF: Incident Report Exchange Format FIRE: Format for Incident Report Exchange FIR: Format for Incident Report
ISSUES (2) We need a some definitions: Incident: Reporter: Owner Contact Recorder Investigator
ISSUES (3) We need a some definitions… Attack: Attacker: (person, organization,..) Attack Target: (machine, network,… ) Contact: (person, organization) Attack Source: (machine, network,…) Investigator Victim: (person, organization,.. ) Impact Damage
ISSUES (4) We need an operational model … A detailed one is in the draft A simpler one is in this powerpoint
TO BE Done Edit and revise Explanation of rationale in some places