Incident Object Description Exchange Format Usage Guidance
RFC 8274
Internet Engineering Task Force (IETF) P. Kampanakis
Request for Comments: 8274 Cisco Systems
Category: Informational M. Suzuki
ISSN: 2070-1721 NICT
November 2017
Incident Object Description Exchange Format Usage Guidance
Abstract
The Incident Object Description Exchange Format (IODEF) v2 (RFC 7970)
defines a data representation that provides a framework for sharing
information about computer security incidents commonly exchanged by
Computer Security Incident Response Teams (CSIRTs). Since the IODEF
model includes a wealth of available options that can be used to
describe a security incident or issue, it can be challenging for
security practitioners to develop tools that leverage IODEF for
incident sharing. This document provides guidelines for IODEF
implementers. It addresses how common security indicators can be
represented in IODEF and provides use cases of how IODEF is being
used. This document aims to make IODEF's adoption by vendors easier
and to encourage faster and wider adoption of the model by CSIRTs
around the world.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8274.
Kampanakis & Suzuki Informational [Page 1]
RFC 8274 IODEF Guidance November 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Implementation and Use Strategy . . . . . . . . . . . . . . . 3
3.1. Minimal IODEF Document . . . . . . . . . . . . . . . . . 3
3.2. Information Represented . . . . . . . . . . . . . . . . . 4
3.3. IODEF Classes . . . . . . . . . . . . . . . . . . . . . . 5
4. IODEF Usage Considerations . . . . . . . . . . . . . . . . . 6
4.1. External References . . . . . . . . . . . . . . . . . . . 6
4.2. Extensions . . . . . . . . . . . . . . . . . . . . . . . 6
4.3. Indicator Predicate Logic . . . . . . . . . . . . . . . . 7
4.4. Disclosure Level . . . . . . . . . . . . . . . . . . . . 7
5. IODEF Uses . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.1. Implementations . . . . . . . . . . . . . . . . . . . . . 8
5.2. Inter-vendor and Service Provider Exercise . . . . . . . 8
5.3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Indicator Predicate Logic Examples . . . . . . . . . 14
Appendix B. Inter-vendor and Service Provider Exercise Examples 16
B.1. Malware Delivery URL . . . . . . . . . . . . . . . . . . 16
B.2. DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . 17
B.3. Spear Phishing . . . . . . . . . . . . . . . . . . . . . 20
B.4. Malware . . . . . . . . . . . . . . . . . . . . . . . . . 24
B.5. IoT Malware . . . . . . . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
Kampanakis & Suzuki Informational [Page 2]
RFC 8274 IODEF Guidance November 2017
Show full document text