Extended Incident Handling (inch)
---------------------------------

Charter
Last Modified: 2006-05-25

Current Status: Active Working Group

Chair(s):
    Roman Danyliw  <[email protected]>

Security Area Director(s):
    Russ Housley  <[email protected]>
    Sam Hartman  <[email protected]>

Security Area Advisor:
    Sam Hartman  <[email protected]>

Mailing Lists:
    General Discussion:[email protected]
    To Subscribe:      [email protected]
        In Body:       subscribe inch <first name> <last name>
    Archive:           http://listserv.surfnet.nl/archives/inch.html

Description of Working Group:

Background
==========

Computer security incidents occur across administrative domains often
spanning different organizations and national borders. Therefore, the
exchange of incident information and statistics among involved parties
and associated Computer Security Incident Response Teams (CSIRTs) is
crucial for both reactionary analysis of current intruder activity and
proactive identification of trends that can lead to incident
prevention.

Scope
=====

The purpose of the Incident Handling (INCH) working group is to define
a data format for exchanging security incident information used by a
CSIRT. A CSIRT is defined broadly as an entity (either a team or
individual) with a security role or responsibility for a given
constituency (e.g., organization, network).

The use case for the INCH WG output is to standardize the information
model and messaging format currently used in communication between a
CSIRT and the:

* constituency (e.g., users, customers) from which it receives reports
of misuse;

* other parties involved in an incident (e.g., technical contact at an
attacking site, other CSIRTs); and

* analysis centers performing trending across broad data-sets.

These INCH developed formats will replace the now largely human-
intensive communication processes common in incident handling. The
working group will address the issues related to representing and
transporting:

* the source(s) and target(s) of system misuse, as well as the
analysis of their behavior;

* the evidence to support this analysis;

* status of an incident investigation and analysis process; and

* meta-information relevant to sharing sensitive information across
administrative domains (e.g., internationalization, authorization,
privacy).

Constraints
===========

The WG will not attempt to define

- - an incident taxonomy;
- - an archive format for incident information;
- - a format for workflow process internal to a CSIRT; or
- - a format for computer security related information for which there
is already a working standard.

Output of Working Group
=======================

1. A set of high-level requirements for a data format to represent
information commonly exchanged by CSIRTs.

2. A specification of an extensible, incident data description language
that describes a format that satisfies these requirements (Output #1).

3. A set of sample incident reports and their associate representation
in the incident data language.

4. A message format specification and associated transport binding to
carry the encoded description of an incident (Output #2).

5. Guidelines for implementing the data format (Output #2) and
associated communications (Output #4)

Goals and Milestones:

  Done         Initial I-D of the incident data language specification

  Done         Initial I-D for the requirements specification

  Done         Initial I-D of the implementation guidelines document

  Done         Initial I-D of the traceback extension specification

  Done         Submit initial draft of phishing extension specification I-D

  Done         Initial I-D of a transport binding specification

  Jun 2006       Submit requirements I-D to the IESG as Informational

  Aug 2006       Submit messaging format specification I-D to the IESG as
               Proposed

  Aug 2006       Submit incident data language specification I-D to the IESG as
               Proposed

  Aug 2006       Submit transport binding specification I-D to the IESG as
               Proposed

  Aug 2006       Submit phishing extension specification I-D to the IESG as
               Proposed

  Sep 2006       Submit implementation guidelines I-D to the IESG as
               Informational


Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Oct 2002 Sep 2006   <draft-ietf-inch-iodef-10.txt>
               The Incident Object Description Exchange Format

Feb 2003 Jul 2006   <draft-ietf-inch-requirements-08.txt>
               Requirements for the Format for Incident Information Exchange
               (FINE)

Mar 2004 Aug 2006   <draft-ietf-inch-rid-08.txt>
               Incident Handling: Real-time Inter-network Defense

Jun 2005 Jun 2006   <draft-ietf-inch-phishingextns-03.txt>
               Extensions to the IODEF-Document Class for Phishing, Fraud, and
               Other Crimeware

Mar 2006 Aug 2006   <draft-ietf-inch-rid-soap-03.txt>
               IODEF/RID over SOAP

Request For Comments:

 None to date.

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.