Cybersecurity informa1on security
exchange framework (CYBEX):
importance and current developments
Tony Rutkowski,
Rapporteur for Cybersecurity Group, ITU-‐T Q4/17
ISOG-‐J Seminar Tokyo
13 Oct 2010 V1.1
Addi1onal roles include: global eWarrant Rapporteur, ETSI TCLI; U.S. NSTAC Cybersecurity Expert; Dis1nguished Senior Research Fellow, Georgia Ins1tute of Technology
Outline
•
Why the CYBEX ini1a1ve is important
•
Major developments shaping the work
•
Specific capabili1es
–
Systems Assurance and Incident Response
–
Cybersecurity Informa1on Exchange Framework
–
Iden1ty Management
•
Major implementa1on challenges
–
Extent and evolu1on of the standards
–
Discovery and trust capabili1es
CYBEX: origins
•
A common realiza1on that
– Talking about cybersecurity accomplished nothing
– The incidents were scaling exponen1ally
– Trusted exchange of cybersecurity informa1on was essen1al to any/all capabili1es
– Many different communi1es were developing cybersecurity informa1on exchange schema
– No global framework and consensus existed to bring together communi1es and schema
•
Ins1tu1onal triggers
– ITU-‐T began a new 4 year cycle with a mandate to do something about cybersecurity
– Par1cipants found there were common global interests in tackling cybersecurity informa1on exchange challenges
• LAC, NICT, and other Japanese experts and organiza1ons
Contractual service agreements and federa3ons Deny resources Intergovernmental agreements and coopera3on Tort & indemnifica3on Regulatory/ administra3ve law Criminal law
Legal remedies may also ins3tute protec3ve measures
Data reten3on and audi3ng Iden3ty Management Forensics & heuris3cs analysis Provide data for analysis Encryp3on/ VPNs esp. for signalling Resilient infrastructure Rou3ng & resource constraints Network/ applica3on state & integrity Real-‐3me data availability Measures for protec3on Measures for threat detec3on Blacklists & whitelists Vulnerability no3ces Inves3ga3on & measure ini3a3on Measures for thwar3ng and other remedies Legal Remedies
Agreement on a cybersecurity model:
informa1on sharing dependencies
Informa3on exchanges Provide basis for legal remedies Patch development Provide basis for ac3ons Reputa3on sanc3ons Provide awareness of vulnerabili3es and remedies
Providing outreach among standards
bodies seemed possible
ITU-‐R ISO ETSI IETF OASIS ITU-‐T OMA CAB forum TCG 3GPP MITRE NIST APP Dev Forums
IEEE Forum WiFi
IMS forum Cable Labs FIRST CCDB CNIS APWG
Major related ins1tu1onal developments
•
U.N. 15 July document among 15 major powers on reducing “ICT
conflict” (a/k/a cyberwar)
•
Exercise of cybersecurity authority by regulatory bodies
– e.g., Korea, FCC in U.S.
•
High Level Cybersecurity Strategies (USTIC, Japan, UK, China, Korea)
•
Cybersecurity as an issue at ongoing ITU Plenipoten1ary Conference
•
Enhanced Common Criteria Development Board (CCDB)/NATO
ac1vity
•
New real-‐1me, data reten1on, and mobile forensics mandates
offshore
•
Judicial eDiscovery mandates (e.g., FRCP Rule 26) in US and
Major related infrastructure developments
•
Applica1on based infrastructure
– Mobile pladorms driving a world of a million applica1ons
– Poses major challenges (what is a good applica1on versus malware)
•
Locator/ID Separa1on Protocol (LISP)
– Re-‐architects IP based public infrastructures
– Should solve significant ICT security related challenges, especially alribu1on
•
Asia-‐Pacific-‐centricity
– Region has world’s largest and fastest growing infrastructure and strong economies
– Pursuing technology implementa1ons, network innova1ons, venue leadership
•
Mobile/nomadic-‐centricity
– Stressing mobile standards/collabora1ve forums
CYBEX is a substan1ve ongoing global
Cyber/ICT security ini1a1ve
• Aimed at achieving meaningful security – "lock down" the integrity of ICT systems,
– watch for undesired incidents, and
– capture, analyze, and process the forensics from those incidents to reduce vulnerabili1es,
thwart alacks, and ins1tute legal ac1on if appropriate
• The trusted exchange of informa1on is essen1al to accomplish these three tasks.
• The Cybersecurity Informa1on Exchange Framework (CYBEX) ini1a1ve aimed at
iden1fying the emerging set of specifica1ons for the global pladorms for achieving these trusted exchanges
• Most of the work has been accomplished within exis1ng systems assurance,
incident response, and intelligence/surveillance communi1es • Pro-‐ac1ve outreach is part of the ini1a1ve
– Constant alempt to survey what is occurring in all other forums and bringing important
capabili1es into the framework
– Constant analysis of what is missing or needed
Cybersecurity Informa1on
acquisi1on (out of scope*)
Cybersecurity Informa1on
use
(out of scope*)
structuring cybersecurity informa3on
for exchange purposes
iden3fying and discovering
cybersecurity informa3on and en33es
reques3ng and responding with
cybersecurity informa3on
exchanging of cybersecurity
informa3on over networks
assuring cybersecurity informa3on
exchanges
Cybersecurity En11es
Cybersecurity En11es
* Some specialized cybersecurity exchange implementa1ons may require applica1on specific frameworks specifying acquisi1on and use capabili1es
CYBEX Ontology
Coordinator Response Team Administrator Network OperatorIncident Handling Domain
IT Asset Management Domain
Knowledge Accumula3on Domain
Asset Database
Product KB
Assessment Rule
Internal Asset DB
External Asset DB Version KB Configura1on KB Cyber Risk KB Vulnerability KB Threat KB Alack KB Mis-‐use KB Researcher Vendor Registrar Countermeasure KB
Detec1on / Protec1on Rule
Incident Database
Event Incident Alack
Vulnerability/State Exchange Cluster Event/Incident/Heuristics Exchange Cluster
Informa1on Exchange Structuring
Evidence Exchange Cluster
Handover of real time forensics Handover of retained data forensics Event Expressions Extensions for: DPI Traceback Smartgrid Phishing Malware Patterns Incident and Attack Patterns Electronic Evidence Discovery Knowledge Base
Weaknesses Vulnerabilities and Exposures Platforms State Assessment Results Security State Measurement Configuration Checklists Terms and conditions
OVAL Open Vulnerability and Assessment Language CWE Common Weakness Enumeration CVE Common Vulnerabilities and Exposures CPE Common Platform Enumeration CVSS Common Vulnerability Scoring System CWSS Common Weakness Scoring System CCE Common Configuration Enumeration XCCDF eXensible Configuration Checklist Description Format ARF Assessment Result Format CEE Common Event Expression IODEF Incident Object Description Exchange Format CAPEC Common Attack Pattern Enumeration and Classification Application Specific Extensions
Informa1on Exchange
Schema
OVAL Open Vulnerability and Assessment Language CWE Common Weakness Enumeration CVE Common Vulnerabilities and Exposures CPE Common Platform Enumeration CVSS Common Vulnerability Scoring System CWSS Common Weakness Scoring System CCE Common Configuration Enumeration XCCDF eXensible Configuration Checklist Description Format ARF Assessment Result Format CEE Common Event Expression IODEF Incident Object Description Exchange Format CAPEC Common Attack Pattern Enumeration and Classification Application Specific Extensions MAEC Malware Attribution Enumeration and Characterization
Informa1on
Exchange
Schema -‐
Malware
OVAL Open Vulnerability and Assessment Language CWE Common Weakness Enumeration CVE Common Vulnerabilities and Exposures CPE Common Platform Enumeration CVSS Common Vulnerability Scoring System CWSS Common Weakness Scoring System CCE Common Configuration Enumeration XCCDF eXensible Configuration Checklist Description Format ARF Assessment Result Format CEE Common Event Expression IODEF Incident Object Description Exchange Format CAPEC Common Attack Pattern Enumeration and Classification Application Specific Extensions SCAP Security Automation Tools
Informa1on Exchange
Schema –
SCAP Applica1on
Exchange Cluster
Informa1on Exchange Trust capabili1es
Identity Assurance Cluster
Authentication Assurance Methods Authentication Assurance Levels
Discovery of parties, standards, schema, enumerations, instances and
other objects Common Namespace Discovery enabling mechanisms Request and distribution mechanisms Interaction
Security Transport Security Trusted
Platforms
Trusted Network
Events, Incidents, & Heuristics Information Weaknesses, Vulnerabilities & State Information Incident Detection Schema Software, systems, services, networks Security Automation Schema Tools Evidence Information Exchange Policies Exchange Requests Exchange Policies Exchange Requests + +
CYBEX Implementa1on
Trusted Platform Modules Trusted Network Connect ToolsSo where do we go from here:
the challenges
•
An en1re ITU-‐T Recom-‐
menda1on X-‐series has
been allocated
•
Recs. X.cybex, X.cve, X.cvss
should be approved in December
•
Future of IODEF remains a ques1on mark
•
Many addi1onal CYBEX pieces are in various stages of
prepara1on for adop1on during 2011-‐2013 and
subsequent maintenance
•
A global structured website of cybersecurity
organiza1ons has been created on ITU-‐T website
Challenge:
Extent and evolu1on of CYBEX Recommenda1on
•
Is the framework currently complete?
•
What standards should be included in the framework? What are the
criteria for inclusion?
•
Which standards get published as ITU-‐T Recommenda1ons and
which do not?
•
How do ITU-‐T published versions maintain “sync” with authorita1ve
community versions?
•
How do regional and na1onal variants/schemas become included?
•
How should Security Content Automa1on Protocol (SCAP) schema
be treated?
– Presently included in an appendix as examples
•
How does CYBEX deal with “sou” standards, e.g., other ITU-‐T,
ITU-‐D, ISO SC27
Challenge:
Discovery and trust capabili1es
•
Cybersecurity object discovery, trust, and related
exchange policy mechanisms are compartmentalized,
incoherent, and frequently primi1ve
•
Iden1ty Management for cybersecurity has complex
assurance rela1onships
Ongoing relevant cybersecurity IdM
developments
• eDiscovery
– Trusted discovery of iden1fier meta informa1on is essen1al in distributed systems
– Bob Kahn has been leading effort in ITU-‐T to develop a X.discovery specifica1on
• Resolvers
– New joint ISO ITU-‐T specifica1on ITU-‐T X.673 | ISO/IEC 29168-‐2 provides for DNS based ability to resolve OIDs to informa1on addresses
– Handles system proceeding in ITU-‐T
• Trust interoperability
– Joint ITU-‐T and ISO X.eaa specifica1on currently being discussed
– ENISA trust interoperability protocol may be underway in OASIS
• Cloud/Smartgrid Iden1ty
– Mul1ple global ini1a1ves underway to develop specifica1ons for cloud and Smartgrid Iden1ty (ITU-‐T, OASIS,
3GPP, CEN, ISO, NIST, etc)
• Pladorm trust
– Trusted Pladorm Module and Trusted Network Connect now included in CYBEX standard
• Should Virtual TPMs be included?
– Distribu1on channel trust
• OID based NID standards emerging as a major object ID pladorm for distribu1on chain trust
• Handles based DOIs a second order choice
• What others exist?
• No apparent consensus on use of cyber security object iden1fiers
• NICT contribu1ons have been seminal in exploring naming and discovery op1ons
• CNIS (Cyber-‐security Naming and Informa1on Structures Group) is emerging as a significant new
Challenge:
Achieving implementa1on and widespread use
• Much public and industry dialogue is primi1ve, frac1ous, and poli1cally conten1ous at best – especially in the West
– See, e.g., FCC Cybersecurity Roadmap proceeding in Docket 10-‐146
• Meaningful pladorms (e.g., CYBEX), like the systems involved, are complex
• Best ini1al implementa1on avenues are within coherent bounded communi1es
– ISOG-‐J
– Na1onal government networks
– Common Criteria Control Board
– NATO
• SCAP implementa1ons should proliferate – How to enumerate and discover?
• Analy1cal “bridging” pladorms are emerging – Deep Packet Inspec1on
– Applica1on/pladorm behavior signature enumera1ons
• Ul1mately carefully designed mandates by na1onal regulatory authori1es seem likely to emerge
Exemplar:
6
thIT Security Automa1on Conference, Bal1more, 27-‐29 Sep 2010*
Credit: Overview by Paul
Cichonski, BAH-‐NIST *See: hlp://scap.nist.gov/events/2010/itsac/presenta1ons/index.html
A familiar ensemble Emerging NIST view of CYBEX as SCAP
Exemplar: