Tech-invite3GPPspecsGlossariesIETFRFCsGroupsSIPABNFs   Ti+   SearchTech-invite World Map Symbol

RFC 7970

 
 
 

The Incident Object Description Exchange Format Version 2

Part 3 of 9, p. 43 to 60
Prev Section       Next Section

 


prevText      Top      ToC       Page 43 
3.12.  Assessment Class

   The Assessment class describes the repercussions of the incident to
   the victim.

   +-------------------------+
   | Assessment              |
   +-------------------------+
   | ENUM occurrence         |<>--{0..*}--[ IncidentCategory ]
   | ENUM restriction        |<>--{0..*}--[ SystemImpact     ]
   | STRING ext-restriction  |<>--{0..*}--[ BusinessImpact   ]
   | ID observable-id        |<>--{0..*}--[ TimeImpact       ]
   |                         |<>--{0..*}--[ MonetaryImpact   ]
   |                         |<>--{0..*}--[ IntendedImpact   ]
   |                         |<>--{0..*}--[ Counter          ]
   |                         |<>--{0..*}--[ MitigatingFactor ]
   |                         |<>--{0..*}--[ Cause            ]
   |                         |<>--{0..1}--[ Confidence       ]
   |                         |<>--{0..*}--[ AdditionalData   ]
   +-------------------------+

                      Figure 21: The Assessment Class

   The aggregate classes of the Assessment class are:

   IncidentCategory
      Zero or more.  ML_STRING.  A free-form text description
      categorizing the type of incident.

   SystemImpact
      Zero or more.  A technical characterization of the impact of the
      incident activity on the victim's enterprise.  See Section 3.12.1.

   BusinessImpact
      Zero or more.  Impact of the incident activity on the business
      functions of the victim organization.  See Section 3.12.2.

   TimeImpact
      Zero or more.  A characterization of the victim organization due
      to the incident activity as a function of time.  See
      Section 3.12.3.

Top      Up      ToC       Page 44 
   MonetaryImpact
      Zero or more.  The financial loss due to the incident activity.
      See Section 3.12.4.

   IntendedImpact
      Zero or more.  The intended outcome to the victim sought by the
      threat actor.  Defined identically to the BusinessImpact defined
      in Section 3.12.2 but describes intent rather than the realized
      impact.

   Counter
      Zero or more.  A counter with which to summarize the magnitude of
      the activity.  See Section 3.18.3.

   MitigatingFactor
      Zero or more.  ML_STRING.  A description of a mitigating factor
      relative to the impact on the victim organization.

   Cause
      Zero or more.  ML_STRING.  A description of an underlying cause of
      the impact.

   Confidence
      Zero or one.  An estimate of confidence in the impact assessment.
      See Section 3.12.5.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   At least one instance of the possible five impact classes (i.e.,
   SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact, or
   IntendedImpact) MUST be present.

   The attributes of the Assessment class are:

   occurrence
      Optional.  ENUM.  Specifies whether the assessment is describing
      actual or potential outcomes.

      1.  actual.  This assessment describes activity that has occurred.

      2.  potential.  This assessment describes potential activity that
          might occur.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

Top      Up      ToC       Page 45 
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.12.1.  SystemImpact Class

   The SystemImpact class describes the technical impact of the incident
   to the systems on the network.

   +-----------------------+
   | SystemImpact          |
   +-----------------------+
   | ENUM severity         |<>--{0..*}--[ Description ]
   | ENUM completion       |
   | ENUM type             |
   | STRING ext-type       |
   +-----------------------+

                     Figure 22: The SystemImpact Class

   The aggregate class of the SystemImpact class is:

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      impact to the system.

   The attributes of the SystemImpact class are:

   severity
      Optional.  ENUM.  An estimate of the relative severity of the
      activity.  The permitted values are shown below.  There is no
      default value.

      1.  low.  Low severity

      2.  medium.  Medium severity

      3.  high.  High severity

Top      Up      ToC       Page 46 
   completion
      Optional.  ENUM.  An indication whether the described activity was
      successful.  The permitted values are shown below.  There is no
      default value.

      1.  failed.  The attempted activity was not successful.

      2.  succeeded.  The attempted activity succeeded.

   type
      Required.  ENUM.  Classifies the impact.  The permitted values are
      shown below.  The default value is "unknown".  These values are
      maintained in the "SystemImpact-type" IANA registry per
      Section 10.2.

      1.   takeover-account.  Control was taken of a given account.

      2.   takeover-service.  Control was taken of a given service.

      3.   takeover-system.  Control was taken of a given system.

      4.   cps-manipulation.  A cyber-physical system was manipulated.

      5.   cps-damage.  A cyber-physical system was damaged.

      6.   availability-data.  Access to particular data was degraded or
           denied.

      7.   availability-account.  Access to an account was degraded or
           denied.

      8.   availability-service.  Access to a service was degraded or
           denied.

      9.   availability-system.  Access to a system was degraded or
           denied.

      10.  damaged-system.  Hardware on a system was irreparably
           damaged.

      11.  damaged-data.  Data on a system was deleted.

      12.  breach-proprietary.  Sensitive or proprietary information was
           accessed or exfiltrated.

      13.  breach-privacy.  Personally identifiable information was
           accessed or exfiltrated.

Top      Up      ToC       Page 47 
      14.  breach-credential.  Credential information was accessed or
           exfiltrated.

      15.  breach-configuration.  System configuration or data inventory
           was access or exfiltrated.

      16.  integrity-data.  Data on the system was modified.

      17.  integrity-configuration.  Application or system configuration
           was modified.

      18.  integrity-hardware.  Firmware of a hardware component was
           modified.

      19.  traffic-redirection.  Network traffic on the system was
           redirected

      20.  monitoring-traffic.  Network traffic emerging from a host or
           enclave was monitored.

      21.  monitoring-host.  System activity (e.g., running processes,
           keystrokes) were monitored.

      22.  policy.  Activity violated the system owner's acceptable use
           policy.

      23.  unknown.  The impact is unknown.

      24.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

Top      Up      ToC       Page 48 
3.12.2.  BusinessImpact Class

   The BusinessImpact class describes and characterizes the degree to
   which the function of the organization was impacted by the incident.

   +-------------------------+
   | BusinessImpact          |
   +-------------------------+
   | ENUM severity           |<>--{0..*}--[ Description ]
   | STRING ext-severity     |
   | ENUM type               |
   | STRING ext-type         |
   +-------------------------+

                    Figure 23: The BusinessImpact Class

   The aggregate class of the BusinessImpact class is:

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      impact to the organization.

   The attributes of the BusinessImpact class are:

   severity
      Optional.  ENUM.  Characterizes the severity of the incident on
      business functions.  The permitted values are shown below.  They
      were derived from Table 3-2 of [NIST800.61rev2].  The default
      value is "unknown".  These values are maintained in the
      "BusinessImpact-severity" IANA registry per Section 10.2.

      1.  none.  No effect to the organization's ability to provide all
          services to all users.

      2.  low.  Minimal effect as the organization can still provide all
          critical services to all users but has lost efficiency.

      3.  medium.  The organization has lost the ability to provide a
          critical service to a subset of system users.

      4.  high.  The organization is no longer able to provide some
          critical services to any users.

      5.  unknown.  The impact is not known.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

Top      Up      ToC       Page 49 
   ext-severity
      Optional.  STRING.  A means by which to extend the severity
      attribute.  See Section 5.1.1.

   type
      Required.  ENUM.  Characterizes the effect this incident had on
      the business.  The permitted values are shown below.  The default
      value is "unknown".  These values are maintained in the
      "BusinessImpact-type" IANA registry per Section 10.2.

      1.   breach-proprietary.  Sensitive or proprietary information was
           accessed or exfiltrated.

      2.   breach-privacy.  Personally identifiable information was
           accessed or exfiltrated.

      3.   breach-credential.  Credential information was accessed or
           exfiltrated.

      4.   loss-of-integrity.  Sensitive or proprietary information was
           changed or deleted.

      5.   loss-of-service.  Service delivery was disrupted.

      6.   theft-financial.  Money was stolen.

      7.   theft-service.  Services were misappropriated.

      8.   degraded-reputation.  The reputation of the organization's
           brand was diminished.

      9.   asset-damage.  A cyber-physical system was damaged.

      10.  asset-manipulation.  A cyber-physical system was manipulated.

      11.  legal.  The incident resulted in legal or regulatory action.

      12.  extortion.  The incident resulted in actors extorting the
           victim organization.

      13.  unknown.  The impact is unknown.

      14.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

Top      Up      ToC       Page 50 
   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

3.12.3.  TimeImpact Class

   The TimeImpact class describes the impact of the incident on an
   organization as a function of time.  It provides a way to convey down
   time and recovery time.

   +---------------------+
   | TimeImpact          |
   +---------------------+
   | REAL                |
   |                     |
   | ENUM severity       |
   | ENUM metric         |
   | STRING ext-metric   |
   | ENUM duration       |
   | STRING ext-duration |
   +---------------------+

                      Figure 24: The TimeImpact Class

   The content of the class is of type REAL and specifies an amount of
   time.  The duration attribute provides units for this content, and
   the metric attribute explains what this content is measuring.

   The attributes of the TimeImpact class are:

   severity
      Optional.  ENUM.  An estimate of the relative severity of the
      activity.  The permitted values are shown below.  There is no
      default value.

      1.  low.  Low severity

      2.  medium.  Medium severity

      3.  high.  High severity

   metric
      Required.  ENUM.  Defines the meaning of the value in the element
      content.  These values are maintained in the "TimeImpact-metric"
      IANA registry per Section 10.2.

      1.  labor.  Total staff time to recovery from the activity (e.g.,
          2 employees working 4 hours each would be 8 hours).

Top      Up      ToC       Page 51 
      2.  elapsed.  Elapsed time from the beginning of the recovery to
          its completion (i.e., wall-clock time).

      3.  downtime.  Duration of time for which some provided service(s)
          was not available.

      4.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-metric
      Optional.  STRING.  A means by which to extend the metric
      attribute.  See Section 5.1.1.

   duration
      Optional.  ENUM.  Defines the unit of time for the value in the
      element content.  The default value is "hour".  These values are
      maintained in the "TimeImpact-duration" IANA registry per
      Section 10.2.

      1.  second.  The unit of the element content is seconds.

      2.  minute.  The unit of the element content is minutes.

      3.  hour.  The unit of the element content is hours.

      4.  day.  The unit of the element content is days.

      5.  month.  The unit of the element content is months.

      6.  quarter.  The unit of the element content is quarters.

      7.  year.  The unit of the element content is years.

      8.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-duration
      Optional.  STRING.  A means by which to extend the duration
      attribute.  See Section 5.1.1.

Top      Up      ToC       Page 52 
3.12.4.  MonetaryImpact Class

   The MonetaryImpact class describes the financial impact of the
   activity on an organization.  For example, this impact may consider
   losses due to the cost of the investigation or recovery, diminished
   productivity of the staff, or a tarnished reputation that will affect
   future opportunities.

   +------------------+
   | MonetaryImpact   |
   +------------------+
   | REAL             |
   |                  |
   | ENUM severity    |
   | STRING currency  |
   +------------------+

                    Figure 25: The MonetaryImpact Class

   The content of the class is of type REAL and specifies a quantity of
   money.  The currency attribute defines the currency of this value.

   The attributes of the MonetaryImpact class are:

   severity
      Optional.  ENUM.  An estimate of the relative severity of the
      activity.  The permitted values are shown below.  There is no
      default value.

      1.  low.  Low severity

      2.  medium.  Medium severity

      3.  high.  High severity

   currency
      Optional.  STRING.  Defines the currency in which the value in the
      element content is expressed.  The permitted values are defined in
      "Codes for the representation of currencies" [ISO4217].  There is
      no default value.

Top      Up      ToC       Page 53 
3.12.5.  Confidence Class

   The Confidence class represents an estimate of the validity and
   accuracy of data expressed in the document.  This estimate can be
   expressed as a category or a numeric calculation.

   +-------------------+
   | Confidence        |
   +-------------------+
   | REAL              |
   |                   |
   | ENUM rating       |
   | STRING ext-rating |
   +-------------------+

                      Figure 26: The Confidence Class

   The content of the class is of type REAL and specifies a numerical
   assessment in the confidence of the data when the value of the rating
   attribute is "numeric".  Otherwise, this element MUST be empty.

   The attributes of the Confidence class are:

   rating
      Required.  ENUM.  A qualitative assessment of confidence.  These
      values are maintained in the "Confidence-rating" IANA registry per
      Section 10.2

      1.  low.  Low confidence.

      2.  medium.  Medium confidence.

      3.  high.  High confidence.

      4.  numeric.  The element content contains a number that conveys
          the confidence of the data.  The semantics of this number is
          outside the scope of this specification.

      5.  unknown.  The confidence rating value is not known.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-rating
      Optional.  STRING.  A means by which to extend the rating
      attribute.  See Section 5.1.1.

Top      Up      ToC       Page 54 
3.13.  History Class

   The History class is a log of the significant events or actions
   performed by the involved parties during the course of handling the
   incident.

   The level of detail maintained in this log is left up to the
   discretion of those handling the incident.

   +------------------------+
   | History                |
   +------------------------+
   | ENUM restriction       |<>--{1..*}--[ HistoryItem ]
   | STRING ext-restriction |
   +------------------------+

                       Figure 27: The History Class

   The aggregate classes of the History class are:

   HistoryItem
      One or more.  An entry in the history log of significant events or
      actions performed by the involved parties.  See Section 3.13.1.

   The attributes of the History class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.13.1.  HistoryItem Class

   The HistoryItem class is an entry in the History (Section 3.13) log
   that documents a particular action or event that occurred in the
   course of handling the incident.  The details of the entry are a
   free-form text description, but each can be categorized with the type
   attribute.

Top      Up      ToC       Page 55 
   +-------------------------+
   | HistoryItem             |
   +-------------------------+
   | ENUM action             |<>----------[ DateTime       ]
   | STRING ext-action       |<>--{0..1}--[ IncidentID     ]
   | ENUM restriction        |<>--{0..1}--[ Contact        ]
   | STRING ext-restriction  |<>--{0..*}--[ Description    ]
   | ID observable-id        |<>--{0..*}--[ DefinedCOA     ]
   |                         |<>--{0..*}--[ AdditionalData ]
   +-------------------------+

                     Figure 28: The HistoryItem Class

   The aggregate classes of the HistoryItem class are:

   DateTime
      One.  DATETIME.  A timestamp of this entry in the history log.

   IncidentID
      Zero or one.  In a history log created by multiple parties, the
      IncidentID provides a mechanism to specify which CSIRT created a
      particular entry and references this organization's tracking
      number.  When a single organization is maintaining the log, this
      class can be ignored.  See Section 3.4.

   Contact
      Zero or one.  Provides contact information for the entity that
      performed the action documented in this class.  See Section 3.9.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      action or event.

   DefinedCOA
      Zero or more.  STRING.  An identifier meaningful to the sender and
      recipient of this document that references a course of action
      (COA).  This class MUST be present if the action attribute is set
      to "defined-coa".

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

Top      Up      ToC       Page 56 
   The attributes of the HistoryItem class are:

   action
      Required.  ENUM.  Classifies a performed action or occurrence
      documented in this history log entry.  As activity will likely
      have been instigated either through a previously conveyed
      expectation or through an internal investigation, this attribute
      is identical to the action attribute of the Expectation class.
      The difference is only one of tense.  When an action is in this
      class, it has been completed.  See Section 3.15.

   ext-action
      Optional.  STRING.  A means by which to extend the action
      attribute.  See Section 5.1.1.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

Top      Up      ToC       Page 57 
3.14.  EventData Class

   The EventData class is a container class to organize data about
   events that occurred during an incident.

   +-------------------------+
   | EventData               |
   +-------------------------+
   | ENUM restriction        |<>--{0..*}--[ Description    ]
   | STRING ext-restriction  |<>--{0..1}--[ DetectTime     ]
   | ID observable-id        |<>--{0..1}--[ StartTime      ]
   |                         |<>--{0..1}--[ EndTime        ]
   |                         |<>--{0..1}--[ RecoveryTime   ]
   |                         |<>--{0..1}--[ ReportTime     ]
   |                         |<>--{0..*}--[ Contact        ]
   |                         |<>--{0..*}--[ Discovery      ]
   |                         |<>--{0..1}--[ Assessment     ]
   |                         |<>--{0..*}--[ Method         ]
   |                         |<>--{0..*}--[ Flow           ]
   |                         |<>--{0..*}--[ Expectation    ]
   |                         |<>--{0..1}--[ Record         ]
   |                         |<>--{0..*}--[ EventData      ]
   |                         |<>--{0..*}--[ AdditionalData ]
   +-------------------------+

                      Figure 29: The EventData Class

   The aggregate classes of the EventData class are:

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      event.

   DetectTime
      Zero or one.  DATETIME.  The time the event was detected.

   StartTime
      Zero or one.  DATETIME.  The time the event started.

   EndTime
      Zero or one.  DATETIME.  The time the event ended.

   RecoveryTime
      Zero or one.  DATETIME.  The time the site recovered from the
      event.

   ReportTime
      Zero or one.  DATETIME.  The time the event was reported.

Top      Up      ToC       Page 58 
   Contact
      Zero or more.  Contact information for the parties involved in the
      event.  See Section 3.9.

   Discovery
      Zero or more.  The means by which the event was detected.  See
      Section 3.10.

   Assessment
      Zero or one.  The impact of the event on the victim and the
      actions taken.  See Section 3.12.

   Method
      Zero or more.  The technique used by the threat actor in the
      event.  See Section 3.11.

   Flow
      Zero or more.  A description of the systems or networks involved.
      See Section 3.16.

   Expectation
      Zero or more.  The expected action to be performed by the
      recipient for the described event.  See Section 3.15.

   Record
      Zero or one.  Supportive data (e.g., log files) that provides
      additional information about the event.  See Section 3.22.

   EventData
      Zero or more.  A recursive definition of the EventData class.  See
      Section 3.14.2 for an explanation on using this class.

   AdditionalData
      Zero or more.  EXTENSION.  An extension mechanism for data not
      explicitly represented in the data model.

   At least one of the aggregate classes MUST be present in an instance
   of the EventData class.

   The attributes of the EventData class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.  The default value is
      "default".

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

Top      Up      ToC       Page 59 
   observable-id
      Optional.  ID.  See Section 3.3.2.

3.14.1.  Relating the Incident and EventData Classes

   There is substantial overlap in the child classes aggregated in the
   Incident and EventData classes.  Nevertheless, the semantics of these
   classes are quite different.  The Incident class provides summary
   information about the entire incident, while the EventData class
   provides information about the individual events comprising the
   incident.  In the common case, the EventData class will provide more
   specific information for the general description provided in the
   Incident class.  However, in the case where the summarized
   information in the Incident class conflicts with the detailed
   information in an EventData class, the more specific EventData class
   MUST supersede the more generic information provided in the Incident
   class.

3.14.2.  Recursive Definition of EventData

   The EventData class is a container for the properties of an event in
   an incident.  These properties include: the hosts involved, impact of
   the incident activity on the hosts, forensic logs, etc.  The
   recursive definition of EventData allows for the grouping of related
   information with common properties.  This approach eliminates the
   need for explicit identifiers to relate information or duplicate it.
   Instead, the relative depth (nesting) of a class is used to group
   (relate) information.

   For example, consider a case where two hosts experience different
   impacts during an incident.  However, these two hosts have common
   contact information.  A depiction of how this situation would be
   represented can be found in Figure 30.  EventData (2) and (3) group
   each of the two hosts with their unique impact.  EventData (1)
   describes the common Contact class these two hosts share.

Top      Up      ToC       Page 60 
   +------------------+
   | EventData (1)    |
   +------------------+
   |                  |<>----[ Contact    ]
   |                  |
   |                  |<>----[ EventData (2) ]<>----[ Flow       ]
   |                  |      [               ]<>----[ Assessment ]
   |                  |
   |                  |<>----[ EventData (3) ]<>----[ Flow       ]
   |                  |      [               ]<>----[ Assessment ]
   +------------------+

                Figure 30: Recursion in the EventData Class



(page 60 continued on part 4)

Next Section