IODEF Assessment Zoom¶
IncidentAssessment Class¶
The Assessment class describes the technical and non-technical repercussions of the incident on the CSIRT's constituency.
This class was derived from the IDMEF.
The aggregate classes that constitute Assessment are:¶
- Impact
Zero or many. Technical impact of the incident on a network.
- TimeImpact
Zero or many. Impact of the activity measured with respect to time.
- MonetaryImpact
Zero or many. Impact of the activity measured with respect to financial loss.
- Counter
Zero or more. A counter with which to summarize the magnitude of the activity.
- Confidence
Zero or one. An estimate of confidence in the assessment.
- AdditionalData
Zero or many. A mechanism by which to extend the data model.
A least one instance of the possible three impact classes (i.e.,Impact, TimeImpact, or MonetaryImpact) MUST be present.
The Assessment class has two attributes:¶
- occurrence
Optional. ENUM. Specifies whether the assessment is describing actual or potential outcomes. The default is "actual" and is assumed if not specified.
Rank Keyword Description 1 actual This assessment describes activity that has occurred. 2 potential This assessment describes potential activity that might occur.
- restriction
Optional. ENUM. This attribute is defined in Incident Class.
Impact Class¶
The Impact class allows for categorizing and describing the technical impact of the incident on the network of an organization.
This class is based on the IDMEF.
The element content will be a free-form textual description of the impact.
The Impact class has five attributes:¶
- lang
Required. ENUM. A valid language code per RFC 4646 constrained by the definition of "xs:language".
- severity
Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
Rank Keyword Description 1 low Low severity 2 medium Medium severity 3 high High severity
- completion
Optional. ENUM. An indication whether the described activity was successful. The permitted values are shown below. There is no default value.
Rank Keyword Description 1 failed The attempted activity was not successful. 2 succeeded The attempted activity succeeded.
- type
Required. ENUM. Classifies the malicious activity into incident categories. The permitted values are shown below. The default value is "other".
Rank Keyword Description 1 admin Administrative privileges were attempted. 2 dos A denial of service was attempted. 3 file An action that impacts the integrity of a file or database was attempted. 4 info-leak An attempt was made to exfiltrate information. 5 misconfiguration An attempt was made to exploit a mis- configuration in a system. 6 policy Activity violating site's policy was attempted. 7 recon Reconnaissance activity was attempted. 8 social-engineering A social engineering attack was attempted. 9 user User privileges were attempted. 10 unknown The classification of this activity is unknown. 11 ext-value An escape value used to extend this attribute.
- ext-type
Optional. STRING. A means by which to extend the type attribute.
TimeImpact Class¶
The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time.
The element content is a positive, floating point (REAL) number specifying a unit of time. The duration and metric attributes will imply the semantics of the element content.
The TimeImpact class has five attributes:¶
- severity
Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
Rank Keyword Description 1 low Low severity 2 medium Medium severity 3 high High severity
- metric
Required. ENUM. Defines the metric in which the time is expressed. The permitted values are shown below. There is no default value.
Rank Keyword Description 1 labor Total staff-time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours) 2 elapsed Elapsed time from the beginning of the recovery to its completion (i.e., wall-clock time) 3 downtime Duration of time for which some provided service(s) was not available 4 ext-value An escape value used to extend this attribute
- ext-metric
Optional. STRING. A means by which to extend the metric attribute.
- duration
Required. ENUM. Defines a unit of time, that when combined with the metric attribute, fully describes a metric of impact that will be conveyed in the element content. The permitted values are shown below. The default value is "hour".
Rank Keyword Description 1 second The unit of the element content is seconds 2 minute The unit of the element content is minutes 3 hour The unit of the element content is hours 4 day The unit of the element content is days 5 month The unit of the element content is months 6 quarter The unit of the element content is quarters 7 year The unit of the element content is years 8 ext-value An escape value used to extend this attribute
ext-duration
- Optional. STRING. A means by which to extend the duration attribute.
MonetaryImpact Class¶
The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished productivity of the staff, or a tarnished reputation that will affect future opportunities.
The element content is a positive, floating point number (REAL)
specifying a unit of currency described in the currency attribute.
The MonetaryImpact class has two attributes:¶
- severity
Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
Rank Keyword Description 1 low Low severity 2 medium Medium severity 3 high High severity
- currency
Required. STRING. Defines the currency in which the monetary impact is expressed. The permitted values are defined in ISO 4217:2001, Codes for the representation of currencies and funds. There is no default value.
Confidence Class¶
The Confidence class represents a best estimate of the validity and accuracy of the described impact (see Section 3.10) of the incident activity. This estimate can be expressed as a category or a numeric calculation.
This class if based upon the IDMEF.
The element content expresses a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element should be empty.
The Confidence class has one attribute.¶
- rating
Required. ENUM. A rating of the analytical validity of the specified Assessment. The permitted values are shown below. There is no default value.
Rank Keyword Description 1 low Low confidence in the validity. 2 medium Medium confidence in the validity. 3 high High confidence in the validity. 4 numeric The element content contains a number that conveys the confidence of the data. The semantics of this number outside the scope of this specification.
Counter Class¶
The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events).
The value of the counter is the element content with its units represented in the type attribute. A rate for a given feature can be expressed by setting the duration attribute. The complete semantics are entirely context dependent based on the class in which the Counter is aggregated.
The Counter class has three attribute:¶
- type
Required. ENUM. Specifies the units of the element content.
Rank Keyword Description 1 byte Count of bytes. 2 packet Count of packets. 3 flow Count of flow (e.g., NetFlow records). 4 session Count of sessions. 5 alert Count of notifications generated by another system (e.g., IDS or SIM). 6 message Count of messages (e.g., mail messages). 7 event Count of events. 8 host Count of hosts. 9 site Count of site. 10 organization Count of organizations. 11 ext-value An escape value used to extend this attribute.
- ext-type
Optional. STRING. A means by which to extend the type attribute.
- duration
Optional. ENUM. If present, the Counter class represents a rate rather than a count over the entire event. In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator). The possible values of this attribute are defined bellow in Time Impact Class
- ext-duration
Optional. STRING. A means by which to extend the duration attribute.