Managed Incident Lightweight Exchange

Document Proposed charter Managed Incident Lightweight Exchange WG (mile)
Title Managed Incident Lightweight Exchange
Last updated 2018-11-01
State External review Rechartering
WG State Active
IESG Responsible AD Alexey Melnikov
Charter Edit AD Alexey Melnikov
Telechat date On agenda of 2018-11-21 IESG telechat
Send notices to (None)


The Managed Incident Lightweight Exchange (MILE) working group develops
standards to support computer and network security incident management; an
incident is an unplanned event that occurs in an information technology (IT)
infrastructure. An incident could be a benign configuration issue, IT incident,
a system compromise, socially engineered phishing attack, or a
denial-of-service (DoS) attack, etc. When an incident is detected, or
suspected, there may be a need for organizations to collaborate. This
collaboration effort may take several forms including joint analysis,
information dissemination, and/or a coordinated operational response. Examples
of the response may include filing a report, notifying the source of the
incident, requesting that a third-party resolve/mitigate the incident, sharing
select indicators of compromise, or requesting that the source be located. By
sharing indicators of compromise associated with an incident or possible
threat, the information becomes a proactive defense for others that may include
mitigation options.

The MILE WG is focused on two areas: standardizing a data format for
representing incident and indicator data, and standardizing mappings into
application substrate protocols, such as HTTP and XMPP, for sharing the
structured data. With respect to the data format, the working group has adopted
the Incident Object Description Exchange Format (IODEF, RFC 7970) as one
exchange format and will continue to:

- Revise the IODEF document to incorporate enhancements and extensions based on
operational experience. Use by the Computer Security Incident Response Teams
(CSIRTs) and others has exposed the need to extend IODEF to support industry
specific extensions, use case specific content, and representations to
associate information related to represented threats (system, threat actors,
campaigns, etc.). The value of information sharing has been demonstrated and
highlighted at an increasing rate through the success of the Information
Sharing and Analysis Centers (ISACs). In addition, the Multinational Alliance
for Collaborative Cyber Situational Awareness (CCSA) have been running
experiments to determine what data is useful to exchange between industries and
nations to effectively mitigate threats. The work of these and other groups
have identified and continue to develop data representations relevant to their
use cases that may compliment/extend IODEF.

- Provide guidance on the implementation and use of IODEF to facilitate

Though the working group also adopted Real-time Inter-network Defense (RID, RFC
6545) as further enabling information exchange of security policy, its
transport mechanism, based on the Simple Object Access Protocol (SOAP), led to
the second focus for MILE: adopting more modern transport through the adoption
of a RESTful interface through ROLIE (Resource-oriented lightweight information
exchange, RFC 8322) and the adoption of a publish-subscribe model through
XMPP-Grid (draft-ietf-mile-xmpp-grid). The MILE WG will continue to:

- Update and enhance these transport protocols to optimize their performance
and representations. More explicitly, documenting how ROLIE can transport JSON

- Define and document how these transport protocols can also be used to support
other security information exchange formats. For example, documenting how ROLIE
can transport STIX (Structured Threat Information Expression) data. As STIX is
a expression format defined by the OASIS consortium, the working group will
maintain a relationship with OASIS to ensure proper use, compatibility and
interoperability when using STIX. 

Proposed milestones

Date Milestone
Apr 2019 Submit a draft on RESTful indicator exchange for CSIRT usage as an Informational RFC
Dec 2018 Submit a draft on JSON bindings of IODEF to the IESG for publication as a Standards Track RFC
Dec 2018 Submit a draft on XMPP Protocol Extensions for Use with IODEF