Project

General

Profile

Use of IODEF objects database for CSIRT

Added by Gilles Lehmann almost 4 years ago

We need to explore the use of database of IODEF objects in the long run. What would operators do with this data (ex : reporting, trends, etc.)

Could centralised IODEF database (in national security agency for example) help create "threat intelligence" data for CSIRTs (ex : IP reputation list ?)

One subject could be correlation of real time IDMEF alerts with IODEF database objects (?)

Could IODEF objects be "correlated" ?

Ex : The National Agency receive two IODEF from to different CSIRT identifying the same attack scenario ... which could mean there is a "national" attack on all the important operators ... should we create a "correlated" IODEF with a higher severity saying something like "This same scenario attack has been seen twice in two days"