Managed Incident Lightweight Exchange
(MILE): Standards for Cross-‐Domain
Incident Handling
Brian Trammell, ETH Zürich
Co-‐chair, IETF MILE Working Group
CollaboraKve Security and Privacy Technologies Berlin, 25 April 2012
The Problem
•
ATack landscape becomes more
complex
and
coopera*ve
over Kme
– botnets, XSS, APT, etc., etc.
•
Single incidents affect mulKple domains
– Tools and processes for defense must become
more cooperaKve than implicit processes for aTack.
•
Efforts to coordinate response within consorKa
– Concerns about confidenKality and privacy
to 2006: IETF INCH WG
(INCident Handling)
•
Incident Object DescripKon Format (IODEF, RFC
5070)
– XML schema for describing network security incidents
– Based on classes defined in IDMEF (RFC 4765) for IDS
alerts
•
IniKal work on RID (Real-‐Kme Inter-‐network
Defense)
– Inter-‐domain exchange of IODEF messages
– Published InformaKonal in 2010 (RFC 6045/6046)
RepresenKng Incidents:
IODEF – AssumpKons
• Incidents are not merely IDS alerts.
– composed of related events
(either automaKcally or manually detected)
• Incidents are idenKfied and stored…
– these idenKfiers can be used to reference them
– each organizaKon has its own idenKfiers and handling processes
• … but IODEF provides only a wire format.
– sharing is fundamentally different than archiving
– storage requirements are ogen specific to an organizaKon’s process
• Incident informaKon changes over Kme.
– more informaKon available ager invesKgaKon
– must be able to represent incomplete informaKon and ask for more
RepresenKng Incidents:
IODEF – Classes
•
Represents Incidents of mulKple Events
•
Provides basic classes for incident data
– IdenKfiers (IncidentID, AlternaKveID)
– Timestamps ({Start|End|Detect|Report}Time)
– Handling (Assessment, Impact, Method, and History)
– Flow
– Contact
•
Incident and EventData containers
Exchanging Incidents:
RID – CapabiliKes
•
Adds exchange semanKcs to IODEF messages
– Enables incident tracing and miKgaKon
– Enables tracking of incidents as they evolve
– Supports query/response, delayed response, and
asynchronous reporKng
– Generalizable beyond IODEF
•
Explicit support for security and privacy
– XML digital signature and XML encrypKon support
– AuthenKcaKon, confidenKality, and integrity for single-‐
hop and mulK-‐hop relay
Exchanging Incidents:
RID – Messages
• Request
– InvesKgaKon: “Can you help us look into this?”
– Trace: “Can you help us find the source of this?”
• Query
– “What do you know about this incident?”
– “What do you know about similar incidents?”
• Acknowledgment
– “We’re on it, but it might take a while. Expect a follow-‐up.”
• Result
– “We’ve handled your request: here’s what happened.”
• Report
– “Here’s some informaKon related to that incident.”
Exchanging Incidents:
RID – Transport
•
Exchange of RID messages over HTTP/TLS
•
HTTP allows easy implementaKon on most
plaporms.
•
Supports callback for Acknowledgment with
later follow-‐up.
•
Provides hop-‐by-‐hop security with a
ApplicaKon:
Shared Incident Reports
•
Provider sends a RID Report message
– to involved consorKum members that may not have
detected the incident
– to a central clearinghouse for the consorKum
– to compromised consorKum members from a
clearinghouse
– to client of an incident reporKng service within the
consorKum
ApplicaKon: CooperaKve
Incident Handling
• Requestor sends a RID Request to another consorKum
member.
– IODEF message contains enough informaKon to idenKfy the incident to be invesKgated.
• Responder sends RID Acknowledgment, invesKgates
incident.
– …in keeping with the responder’s own incident handling
processes
• Responder sends a Result back to requestor when
invesKgaKon complete.
– …and the process iterates should more informaKon be
Today: IETF MILE WG
•
Standardized RID as RFC 6545/6546
•
Focused on extensions to IODEF and RID
– Handle changes to threats and processes since
publicaKon of IODEF.
– Incorporate implementaKon experience in inter-‐
domain incident handling.
•
Provides a home for coordinaKon of this work with
other SDOs
– referenced from ITU-‐T SG17/4
•
Charter includes work from a large community of
IETF MILE WG:
Current Work (1)
•
drag-‐iep-‐mile-‐sci
– Represent structured cybersecurity informaKon by
inclusion in IODEF documents.
– Allows exchange by consorKa already using these
external specificaKons.
– Supports CAPEC, CCE, CCSS, CEE, CPE, CVE, CVRF,
IETF MILE WG:
Current Work (2)
•
drag-‐inacio-‐mile-‐forensics
– Represent forensic invesKgaKon results in IODEF
documents.
•
drag-‐moriarty-‐mile-‐grc-‐exchange
– Generalize RID to allow exchange of governance,
risk, and compliance informaKon.
•
drag-‐goodier-‐mile-‐data-‐markets
Learn more, get involved
•
IODEF (RFC5070)
– tools.iep.org/html/5070
•
RID (RFC6545/6546)
– (sKll in editor queue due to CVRF references)
– tools.iep.org/html/drag-‐iep-‐mile-‐rfc6045-‐bis
– tools.iep.org/html/drag-‐iep-‐mile-‐rfc6046-‐bis
Acknowledgments
•
FP7-‐DEMONS project
•
Kathleen Moriarty, co-‐chair, MILE
– (Some organizaKon and content derived from her
previous presentaKons, ©2011 EMC CorporaKon, her employer.)