Project

General

Profile

IODEF Assessment Zoom

Incident


Assessment Class

The Assessment class describes the technical and non-technical repercussions of the incident on the CSIRT's constituency.

This class was derived from the IDMEF.

The aggregate classes that constitute Assessment are:

  • Impact

Zero or many. Technical impact of the incident on a network.

  • TimeImpact

Zero or many. Impact of the activity measured with respect to time.

  • MonetaryImpact

Zero or many. Impact of the activity measured with respect to financial loss.

  • Counter

Zero or more. A counter with which to summarize the magnitude of the activity.

  • Confidence

Zero or one. An estimate of confidence in the assessment.

  • AdditionalData

Zero or many. A mechanism by which to extend the data model.

A least one instance of the possible three impact classes (i.e.,Impact, TimeImpact, or MonetaryImpact) MUST be present.

The Assessment class has two attributes:

  • occurrence

Optional. ENUM. Specifies whether the assessment is describing actual or potential outcomes. The default is "actual" and is assumed if not specified.

Rank Keyword Description
1 actual This assessment describes activity that has occurred.
2 potential This assessment describes potential activity that might occur.
  • restriction

Optional. ENUM. This attribute is defined in Incident Class.

Impact Class

The Impact class allows for categorizing and describing the technical impact of the incident on the network of an organization.

This class is based on the IDMEF.

The element content will be a free-form textual description of the impact.

The Impact class has five attributes:

  • lang

Required. ENUM. A valid language code per RFC 4646 constrained by the definition of "xs:language".

  • severity

Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.

Rank Keyword Description
1 low Low severity
2 medium Medium severity
3 high High severity
  • completion

Optional. ENUM. An indication whether the described activity was successful. The permitted values are shown below. There is no default value.

Rank Keyword Description
1 failed The attempted activity was not successful.
2 succeeded The attempted activity succeeded.
  • type

Required. ENUM. Classifies the malicious activity into incident categories. The permitted values are shown below. The default value is "other".

Rank Keyword Description
1 admin Administrative privileges were attempted.
2 dos A denial of service was attempted.
3 file An action that impacts the integrity of a file or database was attempted.
4 info-leak An attempt was made to exfiltrate information.
5 misconfiguration An attempt was made to exploit a mis- configuration in a system.
6 policy Activity violating site's policy was attempted.
7 recon Reconnaissance activity was attempted.
8 social-engineering A social engineering attack was attempted.
9 user User privileges were attempted.
10 unknown The classification of this activity is unknown.
11 ext-value An escape value used to extend this attribute.
  • ext-type

Optional. STRING. A means by which to extend the type attribute.

TimeImpact Class

The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time.

The element content is a positive, floating point (REAL) number specifying a unit of time. The duration and metric attributes will imply the semantics of the element content.

The TimeImpact class has five attributes:

  • severity

Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.

Rank Keyword Description
1 low Low severity
2 medium Medium severity
3 high High severity
  • metric

Required. ENUM. Defines the metric in which the time is expressed. The permitted values are shown below. There is no default value.

Rank Keyword Description
1 labor Total staff-time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours)
2 elapsed Elapsed time from the beginning of the recovery to its completion (i.e., wall-clock time)
3 downtime Duration of time for which some provided service(s) was not available
4 ext-value An escape value used to extend this attribute
  • ext-metric

Optional. STRING. A means by which to extend the metric attribute.

  • duration

Required. ENUM. Defines a unit of time, that when combined with the metric attribute, fully describes a metric of impact that will be conveyed in the element content. The permitted values are shown below. The default value is "hour".

Rank Keyword Description
1 second The unit of the element content is seconds
2 minute The unit of the element content is minutes
3 hour The unit of the element content is hours
4 day The unit of the element content is days
5 month The unit of the element content is months
6 quarter The unit of the element content is quarters
7 year The unit of the element content is years
8 ext-value An escape value used to extend this attribute

ext-duration

  • Optional. STRING. A means by which to extend the duration attribute.

MonetaryImpact Class

The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished productivity of the staff, or a tarnished reputation that will affect future opportunities.

The element content is a positive, floating point number (REAL)
specifying a unit of currency described in the currency attribute.

The MonetaryImpact class has two attributes:

  • severity

Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.

Rank Keyword Description
1 low Low severity
2 medium Medium severity
3 high High severity
  • currency

Required. STRING. Defines the currency in which the monetary impact is expressed. The permitted values are defined in ISO 4217:2001, Codes for the representation of currencies and funds. There is no default value.

Confidence Class

The Confidence class represents a best estimate of the validity and accuracy of the described impact (see Section 3.10) of the incident activity. This estimate can be expressed as a category or a numeric calculation.

This class if based upon the IDMEF.

The element content expresses a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element should be empty.

The Confidence class has one attribute.

  • rating

Required. ENUM. A rating of the analytical validity of the specified Assessment. The permitted values are shown below. There is no default value.

Rank Keyword Description
1 low Low confidence in the validity.
2 medium Medium confidence in the validity.
3 high High confidence in the validity.
4 numeric The element content contains a number that conveys the confidence of the data. The semantics of this number outside the scope of this specification.

Counter Class

The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events).

The value of the counter is the element content with its units represented in the type attribute. A rate for a given feature can be expressed by setting the duration attribute. The complete semantics are entirely context dependent based on the class in which the Counter is aggregated.

The Counter class has three attribute:

  • type

Required. ENUM. Specifies the units of the element content.

Rank Keyword Description
1 byte Count of bytes.
2 packet Count of packets.
3 flow Count of flow (e.g., NetFlow records).
4 session Count of sessions.
5 alert Count of notifications generated by another system (e.g., IDS or SIM).
6 message Count of messages (e.g., mail messages).
7 event Count of events.
8 host Count of hosts.
9 site Count of site.
10 organization Count of organizations.
11 ext-value An escape value used to extend this attribute.
  • ext-type

Optional. STRING. A means by which to extend the type attribute.

  • duration

Optional. ENUM. If present, the Counter class represents a rate rather than a count over the entire event. In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator). The possible values of this attribute are defined bellow in Time Impact Class

  • ext-duration

Optional. STRING. A means by which to extend the duration attribute.

Assessment.svg View - IODEF UML Diagram (62.4 KB) Vérène Houdebine, 05/07/2015 05:33 PM