Internet DRAFT - draft-pkampana-iodef-guidance
draft-pkampana-iodef-guidance
MILE Working Group P. Kampanakis
Internet-Draft Cisco Systems
Intended status: Informational October 18, 2013
Expires: April 21, 2014
IODEF Usage Guidance
draft-pkampana-iodef-guidance-00
Abstract
The Incident Object Description Exchange Format [RFC5070] defines a
data representation that provides a framework for sharing information
commonly exchanged by Computer Security Incident Response Teams
(CSIRTs) about computer security incidents. Since the IODEF model
includes a wealth of available options that can be used to describe a
security incident or issue, it can be challenging for implementers to
develop tools that can Leverage IODEF for incident sharing. This
document provides guidelines for IODEF implementers. It will also
address how common security indicators can be represented in IODEF.
The goal of this document is to make IODEF's adoption by vendors
easier and encourage faster and wider adoption of the model by
Computer Security Incident Response Teams (CSIRTs) around the world.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Kampanakis Expires April 21, 2014 [Page 1]
Internet-Draft IODEF Usage Guidance October 2013
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Implementation Strategy . . . . . . . . . . . . . . . . . . . 3
3.1. Recommended classes to implement . . . . . . . . . . . . . 4
3.2. Decide what IODEF will be used for . . . . . . . . . . . . 4
4. IODEF considerations and how to address them . . . . . . . . . 4
4.1. Unnecessary Fields . . . . . . . . . . . . . . . . . . . . 4
4.2. External References . . . . . . . . . . . . . . . . . . . 4
4.3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . 5
4.4. Logic for watchlist of indications . . . . . . . . . . . . 5
4.5. Externally defined Indicators . . . . . . . . . . . . . . 6
4.6. Restrictions in IODEF . . . . . . . . . . . . . . . . . . 6
5. Current uses of IODEF . . . . . . . . . . . . . . . . . . . . 6
5.1. Anti-Phishing Working Group . . . . . . . . . . . . . . . 6
5.2. Inter-vendor and Service Provider Exercise . . . . . . . . 7
5.3. Collective Intelligence Framework . . . . . . . . . . . . 7
5.4. Other . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . . 8
Appendix A. Inter-vendor and Service Provider Exercise
Examples . . . . . . . . . . . . . . . . . . . . . . 9
A.1. DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
A.2. Malware . . . . . . . . . . . . . . . . . . . . . . . . . 11
A.3. Spear-Phishing . . . . . . . . . . . . . . . . . . . . . . 16
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 19
Kampanakis Expires April 21, 2014 [Page 2]
Internet-Draft IODEF Usage Guidance October 2013
1. Introduction
The Incident Object Description Exchange Format in [RFC5070] defines
a data representation that provides a framework for sharing
information commonly exchanged by Computer Security Incident Response
Teams (CSIRTs) about computer security incidents. The IODEF data
model consists of multiple classes and data types that are used in
the IODEF XML schema.
The IODEF schema was designed to be able to describe all the possible
fields that would be needed in a security incident exchange. Thus,
IODEF contains plenty data constructs that could potentially make it
harder for IODEF implementers to decide which are the most important
ones. Additionally, in the IODEF schema, there exist multiple fields
and classes which do not necessarily need to be used in every
possible data exchange. Moreover, there are fields that are useful
only in data exchanges of non-traditional security events. This
document tries to address the issues above. It will also address how
common security indicators can be represented in IODEF. It will
point out the most important IODEF classes for an implementer and
describe other ones that are not as important. Also, it addresses
some common challenges for IODEF implementers and how they should be
addressed. The end goal of this document is to make IODEF's adoption
by vendors easier and encourage faster and wider adoption of the
model by Computer Security Incident Response Teams (CSIRTs) around
the world.
Section 3 discusses the recommended classes and how an IODEF
implementer should chose the classes to implement. Section 4
presents common considerations and implementer will come across and
how to address them. Section 5 goes over some basic security
concepts and how they can be expressed in IODEF.
2. Terminology
The terminology used in this document follows the one defined in RFC
5070 [RFC5070] and I-D.draft-ietf-mile-sci [I-D.ietf-mile-sci].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Implementation Strategy
It is important for IODEF implementers to be able to distinguish how
the IODEF classes will be used for incident information exchanges.
Kampanakis Expires April 21, 2014 [Page 3]
Internet-Draft IODEF Usage Guidance October 2013
It is critical for an implementer to follow a strategy according to
which he will chose to implement various IODEF classes. It is also
important to know what the most common classes that will be used to
describe common security incident or indicators. Thus, this section
will describe the most important classes and factors an IODEF
implementer should take into consideration before designing the
implementation or tool.
3.1. Recommended classes to implement
This section explains the mandatory to implement IODEF classes that
are required more than once and also are useful.
[...More to be added...]
3.2. Decide what IODEF will be used for
This section describes that there is no need to implement all fields
of IODEF, the ones that are necessary for your use-cases. The
implementer should look into the schema and decide classes to
implement (or not) Also it explains that other external schemata
might be needed to describe incidents or indicators, based on SCI
draft extensions.
[...More to be added...]
4. IODEF considerations and how to address them
4.1. Unnecessary Fields
This section talks about fields that do not always play in important
role like Assessment, Impact
[...More to be added...]
4.2. External References
draft draft-montville-mile-enum-reference-format "This format allows
the <Version> to be associated with the id rather than the id_type.
By requiring that a specific type and version be associated with the
identifier, an implementer can look up the type in an IANA table to
understand exactly what the identifier in ReferenceName is and how
s/he may expect that identifier to be structured."
[...More to be added...]
Kampanakis Expires April 21, 2014 [Page 4]
Internet-Draft IODEF Usage Guidance October 2013
4.3. Extensions
This section explains how to describe things IODEF can't describe
([I-D.ietf-mile-sci] draft), or extensions not yet known, or
implemented, when do you use another xml schema encapsulated in iodef
[...More to be added...]
4.4. Logic for watchlist of indications
Multiple indicators occasionally need to be combined in an IODEF
document. For example, a botnet might have multiple command and
control servers. A consistent predicate logic should be followed in
order to present such relationships in IODEF.
In [RFC5070], predicate logic only consisted of logical AND. For
example, if an Flow Class contained two System classes with "source"
and "destination" as category attributes, it was assumed that both
Systems should be present in order for the Flow to be true and thus
marked as an indicator.
[I-D.ietf-mile-rfc5070-bis] defines two new category attributes in
the System Class that can enhance the IODEF predicate logic
functionality. These are watchlist-source and watchlist-destination
and they serve for watchlist indicator groupings. When a Flow Class
that consists of multiple Systems with watchlist-source and
watchlist-destination attributes (watchlist of Systems) the System
information should be ORed for the Flow Class described. In other
words, either System description should be considered as a watchlist
indicator. The content in the EventData Class the Node belongs to
should be combined with the watchlist of Systems using AND logic.
Different Flow classes that consist of different System classes (with
watchlist-source or destination as attributes) follow AND logic in
their parent EventData Class.
IODEF's grouping predicate logic follows the above pattern
consistently. [I-D.ietf-mile-rfc5070-bis] defined the
HashInformation Class that describes a file hash information as also
described in [RFC5901]. The HashInformation Class is of
HashSigDetails type which consists of elements that describe the file
hash details. Some of the attributes of the HashSigDetails are
introduced to describe watchlist groupings (i.e.
PKI_email_ds_watchlist, PGP_email_ds_watchlist, file_hash_watchlist,
email_hash_watchlist). If any of these attributes are used in two or
more HashInformation Classes of a Record then HashInformation content
is ORed for the Record. For example, if two HashInformation types
are set to file_hash_watchlist, the list of hash details provided are
just alternate representations for the same hash (SHA256. SHA1 etc).
Kampanakis Expires April 21, 2014 [Page 5]
Internet-Draft IODEF Usage Guidance October 2013
Similarly, if multiple HashInformation classes, with "watchlist" in
their category attribute, are in a Record using Reference elements or
others, they should all be treated as different representations of
the same file hash, assuming the FileName element is not used in the
HashInformation.
In some cases the predicate logic in IODEF can slightly change.
[I-D.ietf-mile-rfc5070-bis] introduces the WindowsRegistryKeyModified
Class which is of type RegistryKeyModified. RegistryKeyModified has
an optional type attribute which has watchlist as an option in order
to include the ability to group WindowsRegistryKeyModified. In order
to group multiple WindowsRegistryKeyModified of the same watchlist of
indicators multiple WindowsRegistryKeysModified should be used in the
same RecordData or EventData Class. If the RegistryKeyModified
Classes are not under the same RecordData or EventData Class they
should be treated as different indicator Keys modified.
4.5. Externally defined Indicators
set-uid,uid and its use with SCI draft [I-D.ietf-mile-sci]
[...More to be added...]
4.6. Restrictions in IODEF
This section describes how Restriction can pose challenges
[...More to be added...]
5. Current uses of IODEF
IODEF is currently used by various organizations in order to
represent security incidents and share incident and threat
information between security operations organizations.
5.1. Anti-Phishing Working Group
The Anti-Phishing Working Group ([APWG]) is using [RFC5070] to
represent email phishing information. [APWG] also uses IODEF to
aggregate and share Bot and Infected System Alerting and Notification
System (BISANS) and Cyber Bullying IODEF records. Special IODEF
extensions are used in order to mark the sensitivity of the exchanged
information. Shared infected system or email phishing records can
then be used by interested parties in order to provide mitigations.
[APWG] leverages tools of its eCRISP-X toolkit in order to share and
report e-Crime IODEF records.
Kampanakis Expires April 21, 2014 [Page 6]
Internet-Draft IODEF Usage Guidance October 2013
5.2. Inter-vendor and Service Provider Exercise
Various vendors organized and executed an exercise where multiple
threat indicators were exchanged using IODEF. The transport protocol
used was RID. The threat information shared included incidents like
DDoS attacks. Malware and Spear-Phishing. As this was a proof-of-
concept (PoC) exercise only example information (no real threats)
were shared as part of the exchanges.
____________ ____________
| Vendor X | | Vendor Y |
| RID Agent |_______-------------________| RID Agent |
|___________| | Internet | |___________|
-------------
---- RID Report message --->
-- carrying IODEF example ->
--------- over TLS -------->
<----- RID Ack message -----
<--- in case of failure ----
PoC peering topology
The figure above shows how RID interactions took place during the
PoC. Participating organizations were running RID Agent software on-
premises. The RID Agents formed peering relationships with other
participating organizations. When Entity X had a new incident to
exchange it would package it in IODEF and send it to Entity Y over
TLS in a RID Report message. In case there was an issue with the
message, Entity Y would send an RID Acknowledgement message back to
Entity X which included an application level message to describe the
issue. Interoperability between RID agents and the standards,
[RFC6545] and [RFC6546], was also proven in this exercise.
Appendix A includes some of the incident IODEF example information
that was exchanged by the organizations' RID Agents as part of this
proof-of-concept.
5.3. Collective Intelligence Framework
The Collective Intelligence Framework [CIF] is a cyber threat
intelligence management system that uses IODEF to combine known
malicious threat information from multiple sources and use that it to
identify, detect and mitigate. The threat intelligence can be IP
addresses, domains and URLs that are involved in malicious activity.
IODEF records can be consumed by a CIF standalone client or CIF
browser plugins that a user can use to make informed decisions about
Kampanakis Expires April 21, 2014 [Page 7]
Internet-Draft IODEF Usage Guidance October 2013
threat information.
5.4. Other
IODEF is also used in various projects and products to consume and
share security information. Various vendor incident reporting
products have the ability to consume and export in IODEF format.
Perl and Java modules exist in order to parse IODEF documents and
their extensions. Additionally, some worldwide CERT organizations
are already able to use receive incident information in IODEF.
6. Security Considerations
7. Acknowledgements
8. Security Considerations
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
Object Description Exchange Format", RFC 5070,
December 2007.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", RFC 5901, July 2010.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
RFC 6545, April 2012.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546,
April 2012.
9.2. Informative References
[APWG] "APWG", <http://apwg.org/>.
[CIF] "CIF", <https://code.google.com/p/
collective-intelligence-framework/wiki/WhatisCIF>.
Kampanakis Expires April 21, 2014 [Page 8]
Internet-Draft IODEF Usage Guidance October 2013
[I-D.ietf-mile-rfc5070-bis]
Danyliw, R. and P. Stoecker, "The Incident Object
Description Exchange Format",
draft-ietf-mile-rfc5070-bis-00 (work in progress),
May 2013.
[I-D.ietf-mile-sci]
Takahashi, T., Landfield, K., Millar, T., and Y.
Kadobayashi, "IODEF-extension for structured cybersecurity
information", draft-ietf-mile-sci-08 (work in progress),
July 2013.
Appendix A. Inter-vendor and Service Provider Exercise Examples
Below some of the incident IODEF example information that was
exchanged by the vendors as part of this proof-of-concept Inter-
vendor and Service Provider Exercise.
A.1. DDoS
<?xml version="1.0" encoding="UTF-8"?>
<IODEF-Document version="1.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.41"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.41"
xmlns:iodef-sci="urn:ietf:params:xml:ns:iodef-sci-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<iodef:Incident purpose="reporting" restriction="default">
<iodef:IncidentID name="csirt.example.com">
189701
</iodef:IncidentID>
<iodef:StartTime>2013-02-05T00:34:45+00:00</iodef:StartTime>
<iodef:DetectTime>2013-02-05T01:15:45+00:00</iodef:DetectTime>
<iodef:ReportTime>2013-02-05T01:34:45+00:00</iodef:ReportTime>
<iodef:description>DDoS Traffic Seen</iodef:description>
<iodef:Assessment occurrence="actual">
<iodef:Impact severity="medium" type="dos">
DDoS Traffic</iodef:Impact>
<iodef:Confidence rating="numeric">90
</iodef:Confidence>
</iodef:Assessment>
<iodef:Contact role="creator" type="organization">
<iodef:ContactName>Dummy Test</iodef:ContactName>
<iodef:Email>contact@dummytest.com</iodef:Email>
</iodef:Contact>
<iodef:EventData>
Kampanakis Expires April 21, 2014 [Page 9]
Internet-Draft IODEF Usage Guidance October 2013
<iodef:Description>
Dummy Test sharing with ISP1
</iodef:Description>
<iodef:Expectation action="other"/>
<iodef:Method>
<iodef:Reference>
<iodef:ReferenceName>
Low Orbit Ion Cannon User Agent
</iodef:ReferenceName>
<iodef:URL>
http://blog.spiderlabs.com/2011/01/loic-ddos-
analysis-and-detection.html
</iodef:URL>
<iodef:URL>
http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon
</iodef:URL>
</iodef:Reference>
</iodef:Method>
<iodef:Flow>
<iodef:System category="watchlist-source" spoofed="no">
<iodef:Node>
<iodef:Address category="ipv4-addr">
10.10.10.104</iodef:Address>
</iodef:Node>
<iodef:Node>
<iodef:Address category="ipv4-addr">
10.10.10.106</iodef:Address>
</iodef:Node>
<iodef:Node>
<iodef:Address category="ipv4-net">
1172.16.66.0/24</iodef:Address>
</iodef:Node>
<iodef:Node>
<iodef:Address category="ipv6-addr">
2001:db8:dead:beef::</iodef:Address>
</iodef:Node>
<iodef:Service ip_protocol="6">
<iodef:Port>1337</iodef:Port>
<iodef:Application user-agent="Mozilla/5.0 (Macintosh; U;
Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/
20101026 Firefox/3.6.12">
</iodef:Application>
</iodef:Service>
</iodef:System>
<iodef:System category="target">
<iodef:Node>
<iodef:Address category="ipv4-addr">
10.1.1.1</iodef:Address>
Kampanakis Expires April 21, 2014 [Page 10]
Internet-Draft IODEF Usage Guidance October 2013
</iodef:Node>
<iodef:Service ip_protocol="6">
<iodef:Port>80</iodef:Port>
</iodef:Service>
</iodef:System>
<iodef:System category="sensor"><iodef:Description>
Information provided in FLow class instance is from
Inspection of traffic from network tap
</iodef:Description></iodef:System>
</iodef:Flow>
</iodef:EventData>
</iodef:Incident>
</IODEF-Document>
A.2. Malware
<?xml version="1.0" encoding="UTF-8"?>
<iodef:IODEF-Document xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.41">
<iodef:Incident purpose="reporting">
<iodef:ReportID name="EXAMPLE CIRT">
189234
</iodef:ReportID>
<iodef:ReportTime>
2013-03-07T16:14:56.757+05:30
</iodef:ReportTime>
<iodef:Description>
Malware and related indicators identified
</iodef:Description>
<iodef:Assessment occurrence="potential">
<iodef:Impact severity="medium" type="info-leak">
Malware with Command and Control Server
and System Changes
</iodef:Impact>
</iodef:Assessment>
<iodef:Contact role="creator" type="organization">
<iodef:ContactName>EXAMPLE CIRT</iodef:ContactName>
<iodef:Email>emccirt@emc.com</iodef:Email>
</iodef:Contact>
<iodef:EventData>
<iodef:Method>
<iodef:Reference>
<iodef:ReferenceName>Zeus</iodef:ReferenceName>
<iodef:URL>
http://www.threatexpert.com/report.aspx?
md5=e2710ceb088dacdcb03678db250742b7
Kampanakis Expires April 21, 2014 [Page 11]
Internet-Draft IODEF Usage Guidance October 2013
</iodef:URL>
</iodef:Reference>
</iodef:Method>
<iodef:Flow>
<iodef:System category="watchlist-source">
<iodef:Node>
<iodef:Address category="ipv4-addr">
192.168.2.200
</iodef:Address>
<iodef:Address category="site-uri">
http://zeus.556677889900.com/log-bin/
lunch_install.php?aff_id=1&amp;
lunch_id=1&amp;maddr=&amp;
action=install
</iodef:Address>
<iodef:NodeRole attacktype="c2-server"/>
</iodef:Node>
</iodef:System>
</iodef:Flow>
<iodef:Record>
<iodef:RecordData>
<iodef:HashInformation>
<ds:Reference>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha1"/>
<ds:DigestValue>
MHg2NzUxQTI1MzQ4M0E2N0Q4NkUwRjg0NzYwRj
YxRjEwQkJDQzJFREZG</ds:DigestValue>
</ds:Reference>
</iodef:HashInformation>
<iodef:HashInformation>
<ds:Reference>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#md5"/>
<ds:DigestValue>
MHgyRTg4ODA5ODBENjI0NDdFOTc5MEFGQTg5NTE
zRjBBNA==
</ds:DigestValue>
</ds:Reference>
</iodef:HashInformation>
<iodef:WindowsRegistryKeysModified>
<iodef:Key registryaction="add_value">
<iodef:KeyName>
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\tamg
</iodef:KeyName>
<iodef:Value>
?\?\?%System%\wins\mc.exe\?\??
Kampanakis Expires April 21, 2014 [Page 12]
Internet-Draft IODEF Usage Guidance October 2013
</iodef:Value>
</iodef:Key>
<iodef:Key registryaction="modify_value">
<iodef:KeyName>HKLM\Software\Microsoft\
Windows\CurrentVersion\Run\dqo
</iodef:KeyName>
<iodef:Value>"\"\"%Windir%\Resources\
Themes\Luna\km.exe\?\?"
</iodef:Value>
</iodef:Key>
</iodef:WindowsRegistryKeysModified>
</iodef:RecordData>
</iodef:Record>
</iodef:EventData>
<iodef:EventData>
<iodef:Method>
<iodef:Reference>
<iodef:ReferenceName>Cridex</iodef:ReferenceName>
<iodef:URL>
http://www.threatexpert.com/report.aspx?
md5=c3c528c939f9b176c883ae0ce5df0001
</iodef:URL>
</iodef:Reference>
</iodef:Method>
<iodef:Flow>
<iodef:System category="watchlist-source">
<iodef:Node>
<iodef:Address category="ipv4-addr">
10.10.199.100
</iodef:Address>
<iodef:NodeRole attacktype="c2-server"/>
</iodef:Node>
<iodef:Service ip_protocol="6">
<iodef:Port>8080</iodef:Port>
</iodef:Service>
</iodef:System>
</iodef:Flow>
<iodef:Record>
<iodef:RecordData>
<iodef:HashInformation>
<ds:Reference>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha1"/>
<ds:DigestValue>
MHg3MjYzRkUwRDNBMDk1RDU5QzhFMEM4OTVBOUM
1ODVFMzQzRTcxNDFD
</ds:DigestValue>
</ds:Reference>
Kampanakis Expires April 21, 2014 [Page 13]
Internet-Draft IODEF Usage Guidance October 2013
<ds:Reference>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#md5"/>
<ds:DigestValue>MHg0M0NEODUwRkNEQURFNDMzMEE1
QkVBNkYxNkVFOTcxQw==</ds:DigestValue>
</ds:Reference>
</iodef:HashInformation>
<iodef:HashInformation>
<ds:Reference>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#md5"/>
<ds:DigestValue>MHg0M0NEODUwRkNEQURFNDMzMEE
1QkVBNkYxNkVFOTcxQw==</ds:DigestValue>
</ds:Reference>
<ds:Reference>
<ds:DigestMethod Algorithm="http://www.w3.org/
2001/04/xmlenc#sha1"/>
<ds:DigestValue>MHg3MjYzRkUwRDNBMDk1RDU5QzhFME
M4OTVBOUM1ODVFMzQzRTcxNDFD</ds:DigestValue>
</ds:Reference>
</iodef:HashInformation>
<iodef:WindowsRegistryKeysModified>
<iodef:Key registryaction="add_value">
<iodef:KeyName>
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\KB00121600.exe
</iodef:KeyName>
<iodef:Value>
\?\?%AppData%\KB00121600.exe\?\?
</iodef:Value>
</iodef:Key>
</iodef:WindowsRegistryKeysModified>
</iodef:RecordData>
</iodef:Record>
</iodef:EventData>
<iodef:EventData>
<iodef:Expectation action="other"/>
<iodef:Flow>
<iodef:System category="source"
indicator-set-id="91011">
<iodef:Node>
<iodef:Address category="url"
indicator-uid="qrst">
http://foo.com:12345/evil/cc.php
</iodef:Address>
<iodef:NodeName indicator-uid="rstu">
evil.com
</iodef:NodeName>
Kampanakis Expires April 21, 2014 [Page 14]
Internet-Draft IODEF Usage Guidance October 2013
<iodef:Address category="ipv4-addr"
indicator-uid="stuv">
1.2.3.4</iodef:Address>
<iodef:Address category="ipv4-addr"
indicator-uid="tuvw">
5.6.7.8 </iodef:Address>
<iodef:Address category="ipv6-addr"
indicator-uid="uvwx">
2001:dead:beef::</iodef:Address>
<iodef:NodeRole category="c2-server"/>
</iodef:Node>
</iodef:System>
</iodef:Flow>
<iodef:Record>
<iodef:RecordData indicator-set-id="91011">
<iodef:HashInformation>
<ds:Reference>
<ds:DigestMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc
#sha256"/>
<ds:DigestValue>
141accec23e7e5157de60853cb1e01bc3804
2d08f9086040815300b7fe75c184
</ds:DigestValue>
</ds:Reference>
</iodef:HashInformation>
<iodef:WindowsRegistryKeysModified
indicator-set-id="91011">
<iodef:Key registryaction="add_key"
indicator-uid="vwxy">
<iodef:KeyName>
HKLM\SYSTEM\CurrentControlSet\
Services\.Net CLR
</iodef:KeyName>
</iodef:Key>
<iodef:Key registryaction="add_key"
indicator-uid="wxyz">
<iodef:KeyName>
HKLM\SYSTEM\CurrentControlSet\
Services\.Net CLR\Parameters
</iodef:KeyName>
<iodef:Value>
\"\"%AppData%\KB00121600.exe\"\"
</iodef:Value>
</iodef:Key>
<iodef:Key registryaction="add_value"
indicator-uid="xyza">
<iodef:KeyName>
Kampanakis Expires April 21, 2014 [Page 15]
Internet-Draft IODEF Usage Guidance October 2013
HKLM\SYSTEM\CurrentControlSet\Services\
.Net CLR\Parameters\ServiceDll
</iodef:KeyName>
<iodef:Value>C:\bad.exe</iodef:Value>
</iodef:Key>
<iodef:Key registryaction="modify_value"
indicator-uid="zabc">
<iodef:KeyName>
HKLM\SYSTEM\CurrentControlSet\
Services\.Net CLR\Parameters\Bar
</iodef:KeyName>
<iodef:Value>Baz</iodef:Value>
</iodef:Key>
</iodef:WindowsRegistryKeysModified>
</iodef:RecordData>
</iodef:Record>
</iodef:EventData>
</iodef:Incident>
</iodef:IODEF-Document>
A.3. Spear-Phishing
<?xml version="1.0" encoding="UTF-8"?>
<IODEF-Document version="1.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.41"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.41"
xmlns:iodef-sci="urn:ietf:params:xml:ns:iodef-sci-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<iodef:Incident purpose="reporting">
<iodef:IncidentID name="csirt.example.com">
189601
</iodef:IncidentID>
<iodef:StartTime>2013-01-04T08:01:34+00:00</iodef:StartTime>
<iodef:StopTime>2013-01-04T08:31:27+00:00</iodef:StopTime>
<iodef:DetectTime>2013-01-04T08:06:12+00:00</iodef:DetectTime>
<iodef:ReportTime>2013-01-04T09:15:45+00:00</iodef:ReportTime>
<iodef:description>
Zeus Spear Phishing E-mail with Malware Attachment
</iodef:description>
<iodef:Assessment occurrence="potential">
<iodef:Impact severity="medium" type="info-leak">
Malware with Command and Control Server and System
Changes</iodef:Impact>
</iodef:Assessment>
<iodef:Contact role="creator" type="organization">
<iodef:ContactName>example.com CSIRT
Kampanakis Expires April 21, 2014 [Page 16]
Internet-Draft IODEF Usage Guidance October 2013
</iodef:ContactName>
<iodef:Email>contact@csirt.example.com</iodef:Email>
</iodef:Contact>
<iodef:EventData>
<iodef:Description>Targeting Defense Contractors,
specifically board members attending Dummy Con
</iodef:Description>
<iodef:Expectation action="other"/>
<iodef:Method>
<iodef:Reference indicator_uid="1234">
<iodef:ReferenceName>Zeus</iodef:ReferenceName>
</iodef:Reference>
</iodef:Method>
<iodef:Flow>
<iodef:System category="source">
<iodef:Node>
<iodef:Address category="url">
http://www.zeusevil.com</iodef:Address>
<iodef:Address category="ipv4-addr">
10.10.10.166</iodef:Address>
<iodef:Address category="as">
225</iodef:Address>
<iodef:Address category="ext-value"
ext-category="as-name">
EXAMPLE-AS - University of Example"
</iodef:Address>
<iodef:Address category="ext-value"
ext-category="as-prefix">
172.16..0.0/16
</iodef:Address>
<iodef:NodeRole category="www"
attacktype="malware-distribution"/>
</iodef:Node>
</iodef:System>
</iodef:Flow>
<iodef:Flow>
<iodef:System category="source">
<iodef:Node>
<iodef:NodeName>mail1.evildave.com</iodef:NodeName>
<iodef:Address category="ipv4-addr">
172.16.55.6</iodef:Address>
<iodef:Address category="asn">
225</iodef:Address>
<iodef:Address category="ext-value"
ext-category="as-name">
EXAMPLE-AS - University of Example
</iodef:Address>
<iodef:DomainData>
Kampanakis Expires April 21, 2014 [Page 17]
Internet-Draft IODEF Usage Guidance October 2013
<iodef:Name>evildaveexample.com</iodef:Name>
<iodef:DateDomainWasChecked>2013-01-04T09:10:24+00:00
</iodef:DateDomainWasChecked>
<iodef:RelatedDNS RecordType="MX">
evildaveexample.com MX prefernce = 10, mail exchanger
= mail1.evildave.com</iodef:RelatedDNS>
<iodef:RelatedDNS RecordType="A">
mail1.evildaveexample.com
internet address = 172.16.55.6</iodef:RelatedDNS>
<iodef:RelatedDNS RecordType="SPF">
zuesevil.com. IN TXT \"v=spf1 a mx -all\"
</iodef:RelatedDNS>
</iodef:DomainData>
<iodef:NodeRole category="mail"
attacktype="spear-phishing"/>
</iodef:Node>
<iodef:Service>
<iodef:EmailInfo>
<iodef:Email>emaildave@evildaveexample.com
</iodef:Email>
<iodef:EmailSubject>Join us at Dummy Con
</iodef:EmailSubject>
<iodef:X-Mailer>StormRider 4.0
</iodef:X-Mailer>
</iodef:EmailInfo>
</iodef:Service>
</iodef:System>
<iodef:System category="target">
<iodef:Node>
<iodef:Address category="ipv4">
192.168.54.2</iodef:Address>
</iodef:Node>
</iodef:System>
</iodef:Flow>
<iodef:Record>
<iodef:RecordData>
<iodef:HashInformation type="file_hash"
indicator_uid="1234">
<iodef:FileName>Dummy Con Sign Up Sheet.txt
</iodef:FileName>
<iodef:FileSize>152</iodef:FileSize>
<ds:Reference>
<ds:DigestMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
141accec23e7e5157de60853cb1e01bc38042d
08f9086040815300b7fe75c184
Kampanakis Expires April 21, 2014 [Page 18]
Internet-Draft IODEF Usage Guidance October 2013
</ds:DigestValue>
</ds:Reference>
</iodef:HashInformation>
</iodef:RecordData>
<iodef:RecordData>
<iodef:HashInformation type="PKI_email_ds" valid="0">
<ds:Signature>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>FakeCA
</ds:X509IssuerName>
</ds:X509IssuerSerial>
<ds:X509SubjectName>EvilDaveExample
</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<ds:SignedInfo>
<ds:Reference>
<ds:DigestMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
352bddec13e4e5257ee63854cb1f05de48043d09f9
076070845307b7ce76c185
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
</iodef:HashInformation>
</iodef:RecordData>
</iodef:Record>
</iodef:EventData>
</iodef:Incident>
</IODEF-Document>
Author's Address
Panos Kampanakis
Cisco Systems
170 West Tasman Dr.
San Jose, CA 95134
US
Email: pkampana@cisco.com
Kampanakis Expires April 21, 2014 [Page 19]
