Project

General

Profile

IODEF Incident Zoom

Incident


IODEF-Document Class

The IODEF-Document class is the top level class in the IODEF data model. All IODEF documents are an instance of this class.

The aggregate class that constitute IODEF-Document is:

  • Incident

One or more. The information related to a single incident.

The IODEF-Document class has three attributes:

  • version

Required. STRING. The IODEF specification version number to which this IODEF document conforms. The value of this attribute MUST be "1.00"

  • lang

Required. ENUM. A valid language code per RFC 4646 [7] constrained by the definition of "xs:language".

  • formatid

Optional. STRING. A free-form string to convey processing instructions to the recipient of the document. Its semantics must be negotiated out-of-band.

Incident Class

Every incident is represented by an instance of the Incident class. This class provides a standardized representation for commonly exchanged incident data.

The aggregate classes that constitute Incident are:

  • IncidentID

One. An incident tracking number assigned to this incident by the CSIRT that generated the IODEF document.

  • AlternativeID

Zero or one. The incident tracking numbers used by other CSIRTs to refer to the incident described in the document.

  • RelatedActivity

Zero or one. The incident tracking numbers of related incidents.

  • DetectTime

Zero or one. The time the incident was first detected.

  • StartTime

Zero or one. The time the incident started.

  • EndTime

Zero or one. The time the incident ended.

  • ReportTime

One. The time the incident was reported.

  • Description

Zero or more. ML_STRING. A free-form textual description of the incident.

  • Assessment

One or more. A characterization of the impact of the incident.

  • Method

Zero or more. The techniques used by the intruder in the incident.

  • Contact

One or more. Contact information for the parties involved in the incident.

  • EventData

Zero or more. Description of the events comprising the incident.

  • History

Zero or one. A log of significant events or actions that occurred during the course of handling the incident.

  • AdditionalData

Zero or more. Mechanism by which to extend the data model.

The Incident class has four attributes:

  • purpose

Required. ENUM. The purpose attribute represents the reason why the IODEF document was created. It is closely related to the Expectation class. This attribute is defined as an enumerated list:

Rank Keyword Description
1 traceback The document was sent for trace-back purposes.
2 mitigation The document was sent to request aid in mitigating the described activity.
3 reporting The document was sent to comply with reporting requirements.
4 other The document was sent for purposes specified in the Expectation class.
5 ext-value An escape value used to extend this attribute.
  • ext-purpose

Optional. STRING. A means by which to extend the purpose attribute.

  • lang

Optional. ENUM. A valid language code per RFC 4646 [7] constrained by the definition of "xs:language".

  • restriction

Optional. ENUM. This attribute indicates the disclosure guidelines to which the sender expects the recipient to adhere for the information represented in this class and its children. This guideline provides no security since there are no specified technical means to ensure that the recipient of the document handles the information as the sender requested.

The value of this attribute is logically inherited by the children of this class. That is to say, the disclosure rules applied to this class, also apply to its children.

It is possible to set a granular disclosure policy, since all of the high-level classes (i.e., children of the Incident class) have a restriction attribute. Therefore, a child can override the guidelines of a parent class, be it to restrict or relax the disclosure rules (e.g., a child has a weaker policy than an ancestor; or an ancestor has a weak policy, and the children selectively apply more rigid controls). The implicit value of the restriction attribute for a class that did not specify one can be found in the closest ancestor that did specify a value.

This attribute is defined as an enumerated value with a default value of "private". Note that the default value of the restriction attribute is only defined in the context of the Incident class. In other classes where this attribute is used, no default is specified.

Rank Keyword Description
1 public There are no restrictions placed in the information.
2 need-to-know The information may be shared with other parties that are involved in the incident as determined by the recipient of this document (e.g., multiple victim sites can be informed of each other).
3 private The information may not be shared.
4 default The information can be shared according to an information disclosure policy pre-arranged by the communicating parties.

IncidentID Class

The IncidentID class represents an incident tracking number that is unique in the context of the CSIRT and identifies the activity characterized in an IODEF Document. This identifier would serve as an index into the CSIRT incident handling system. The combination of the name attribute and the string in the element content MUST be a globally unique identifier describing the activity. Documents generated by a given CSIRT MUST NOT reuse the same value unless they are referencing the same incident.

The IncidentID class has three attributes:

  • name

Required. STRING. An identifier describing the CSIRT that created the document. In order to have a globally unique CSIRT name, the fully qualified domain name associated with the CSIRT MUST be used.

  • instance

Optional. STRING. An identifier referencing a subset of the named incident.

  • restriction

Optional. ENUM. This attribute has been defined bellow.

AlternativeID Class

The AlternativeID class lists the incident tracking numbers used by CSIRTs, other than the one generating the document, to refer to the identical activity described the IODEF document. A tracking number listed as an AlternativeID references the same incident detected by another CSIRT. The incident tracking numbers of the CSIRT that generated the IODEF document should never be considered an AlternativeID.

The aggregate class that constitutes AlternativeID is:

  • IncidentID

One or more. The incident tracking number of another CSIRT.

The AlternativeID class has one attribute:

  • restriction

Optional. ENUM. This attribute has been defined bellow.

RelatedActivity Class

The RelatedActivity class lists either incident tracking numbers of incidents or URLs (not both) that refer to activity related to the one described in the IODEF document. These references may be to local incident tracking numbers or to those of other CSIRTs.

The specifics of how a CSIRT comes to believe that two incidents are related are considered out of scope.

The aggregate classes that constitutes RelatedActivity are:

  • IncidentID

One or more. The incident tracking number of a related incident.

  • URL

One or more. URL. A URL to activity related to this incident.

The RelatedActivity class has one attribute:

  • restriction

Optional. ENUM. This attribute has been defined bellow.

Incident.svg View - IODEF UML Diagram Incident Zoom (146 KB) Vérène Houdebine, 05/07/2015 05:27 PM