Use of IODEF objects database for CSIRT
We need to explore the use of database of IODEF objects in the long run. What would operators do with this data (ex : reporting, trends, etc.)
Could centralised IODEF database (in national security agency for example) help create "threat intelligence" data for CSIRTs (ex : IP reputation list ?)
One subject could be correlation of real time IDMEF alerts with IODEF database objects (?)
Could IODEF objects be "correlated" ?
Ex : The National Agency receive two IODEF from to different CSIRT identifying the same attack scenario ... which could mean there is a "national" attack on all the important operators ... should we create a "correlated" IODEF with a higher severity saying something like "This same scenario attack has been seen twice in two days"