Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7970

The Incident Object Description Exchange Format Version 2

Pages: 172
Proposed Standard
Errata
Obsoletes:  50706685
Part 3 of 9 – Pages 43 to 60
First   Prev   Next

Top   ToC   RFC7970 - Page 43   prevText

3.12. Assessment Class

The Assessment class describes the repercussions of the incident to the victim. +-------------------------+ | Assessment | +-------------------------+ | ENUM occurrence |<>--{0..*}--[ IncidentCategory ] | ENUM restriction |<>--{0..*}--[ SystemImpact ] | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ] | ID observable-id |<>--{0..*}--[ TimeImpact ] | |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ IntendedImpact ] | |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ MitigatingFactor ] | |<>--{0..*}--[ Cause ] | |<>--{0..1}--[ Confidence ] | |<>--{0..*}--[ AdditionalData ] +-------------------------+ Figure 21: The Assessment Class The aggregate classes of the Assessment class are: IncidentCategory Zero or more. ML_STRING. A free-form text description categorizing the type of incident. SystemImpact Zero or more. A technical characterization of the impact of the incident activity on the victim's enterprise. See Section 3.12.1. BusinessImpact Zero or more. Impact of the incident activity on the business functions of the victim organization. See Section 3.12.2. TimeImpact Zero or more. A characterization of the victim organization due to the incident activity as a function of time. See Section 3.12.3.
Top   ToC   RFC7970 - Page 44
   MonetaryImpact
      Zero or more.  The financial loss due to the incident activity.
      See Section 3.12.4.

   IntendedImpact
      Zero or more.  The intended outcome to the victim sought by the
      threat actor.  Defined identically to the BusinessImpact defined
      in Section 3.12.2 but describes intent rather than the realized
      impact.

   Counter
      Zero or more.  A counter with which to summarize the magnitude of
      the activity.  See Section 3.18.3.

   MitigatingFactor
      Zero or more.  ML_STRING.  A description of a mitigating factor
      relative to the impact on the victim organization.

   Cause
      Zero or more.  ML_STRING.  A description of an underlying cause of
      the impact.

   Confidence
      Zero or one.  An estimate of confidence in the impact assessment.
      See Section 3.12.5.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   At least one instance of the possible five impact classes (i.e.,
   SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact, or
   IntendedImpact) MUST be present.

   The attributes of the Assessment class are:

   occurrence
      Optional.  ENUM.  Specifies whether the assessment is describing
      actual or potential outcomes.

      1.  actual.  This assessment describes activity that has occurred.

      2.  potential.  This assessment describes potential activity that
          might occur.

   restriction
      Optional.  ENUM.  See Section 3.3.1.
Top   ToC   RFC7970 - Page 45
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.12.1. SystemImpact Class

The SystemImpact class describes the technical impact of the incident to the systems on the network. +-----------------------+ | SystemImpact | +-----------------------+ | ENUM severity |<>--{0..*}--[ Description ] | ENUM completion | | ENUM type | | STRING ext-type | +-----------------------+ Figure 22: The SystemImpact Class The aggregate class of the SystemImpact class is: Description Zero or more. ML_STRING. A free-form text description of the impact to the system. The attributes of the SystemImpact class are: severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity
Top   ToC   RFC7970 - Page 46
   completion
      Optional.  ENUM.  An indication whether the described activity was
      successful.  The permitted values are shown below.  There is no
      default value.

      1.  failed.  The attempted activity was not successful.

      2.  succeeded.  The attempted activity succeeded.

   type
      Required.  ENUM.  Classifies the impact.  The permitted values are
      shown below.  The default value is "unknown".  These values are
      maintained in the "SystemImpact-type" IANA registry per
      Section 10.2.

      1.   takeover-account.  Control was taken of a given account.

      2.   takeover-service.  Control was taken of a given service.

      3.   takeover-system.  Control was taken of a given system.

      4.   cps-manipulation.  A cyber-physical system was manipulated.

      5.   cps-damage.  A cyber-physical system was damaged.

      6.   availability-data.  Access to particular data was degraded or
           denied.

      7.   availability-account.  Access to an account was degraded or
           denied.

      8.   availability-service.  Access to a service was degraded or
           denied.

      9.   availability-system.  Access to a system was degraded or
           denied.

      10.  damaged-system.  Hardware on a system was irreparably
           damaged.

      11.  damaged-data.  Data on a system was deleted.

      12.  breach-proprietary.  Sensitive or proprietary information was
           accessed or exfiltrated.

      13.  breach-privacy.  Personally identifiable information was
           accessed or exfiltrated.
Top   ToC   RFC7970 - Page 47
      14.  breach-credential.  Credential information was accessed or
           exfiltrated.

      15.  breach-configuration.  System configuration or data inventory
           was access or exfiltrated.

      16.  integrity-data.  Data on the system was modified.

      17.  integrity-configuration.  Application or system configuration
           was modified.

      18.  integrity-hardware.  Firmware of a hardware component was
           modified.

      19.  traffic-redirection.  Network traffic on the system was
           redirected

      20.  monitoring-traffic.  Network traffic emerging from a host or
           enclave was monitored.

      21.  monitoring-host.  System activity (e.g., running processes,
           keystrokes) were monitored.

      22.  policy.  Activity violated the system owner's acceptable use
           policy.

      23.  unknown.  The impact is unknown.

      24.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.
Top   ToC   RFC7970 - Page 48

3.12.2. BusinessImpact Class

The BusinessImpact class describes and characterizes the degree to which the function of the organization was impacted by the incident. +-------------------------+ | BusinessImpact | +-------------------------+ | ENUM severity |<>--{0..*}--[ Description ] | STRING ext-severity | | ENUM type | | STRING ext-type | +-------------------------+ Figure 23: The BusinessImpact Class The aggregate class of the BusinessImpact class is: Description Zero or more. ML_STRING. A free-form text description of the impact to the organization. The attributes of the BusinessImpact class are: severity Optional. ENUM. Characterizes the severity of the incident on business functions. The permitted values are shown below. They were derived from Table 3-2 of [NIST800.61rev2]. The default value is "unknown". These values are maintained in the "BusinessImpact-severity" IANA registry per Section 10.2. 1. none. No effect to the organization's ability to provide all services to all users. 2. low. Minimal effect as the organization can still provide all critical services to all users but has lost efficiency. 3. medium. The organization has lost the ability to provide a critical service to a subset of system users. 4. high. The organization is no longer able to provide some critical services to any users. 5. unknown. The impact is not known. 6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
Top   ToC   RFC7970 - Page 49
   ext-severity
      Optional.  STRING.  A means by which to extend the severity
      attribute.  See Section 5.1.1.

   type
      Required.  ENUM.  Characterizes the effect this incident had on
      the business.  The permitted values are shown below.  The default
      value is "unknown".  These values are maintained in the
      "BusinessImpact-type" IANA registry per Section 10.2.

      1.   breach-proprietary.  Sensitive or proprietary information was
           accessed or exfiltrated.

      2.   breach-privacy.  Personally identifiable information was
           accessed or exfiltrated.

      3.   breach-credential.  Credential information was accessed or
           exfiltrated.

      4.   loss-of-integrity.  Sensitive or proprietary information was
           changed or deleted.

      5.   loss-of-service.  Service delivery was disrupted.

      6.   theft-financial.  Money was stolen.

      7.   theft-service.  Services were misappropriated.

      8.   degraded-reputation.  The reputation of the organization's
           brand was diminished.

      9.   asset-damage.  A cyber-physical system was damaged.

      10.  asset-manipulation.  A cyber-physical system was manipulated.

      11.  legal.  The incident resulted in legal or regulatory action.

      12.  extortion.  The incident resulted in actors extorting the
           victim organization.

      13.  unknown.  The impact is unknown.

      14.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.
Top   ToC   RFC7970 - Page 50
   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

3.12.3. TimeImpact Class

The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time. +---------------------+ | TimeImpact | +---------------------+ | REAL | | | | ENUM severity | | ENUM metric | | STRING ext-metric | | ENUM duration | | STRING ext-duration | +---------------------+ Figure 24: The TimeImpact Class The content of the class is of type REAL and specifies an amount of time. The duration attribute provides units for this content, and the metric attribute explains what this content is measuring. The attributes of the TimeImpact class are: severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity metric Required. ENUM. Defines the meaning of the value in the element content. These values are maintained in the "TimeImpact-metric" IANA registry per Section 10.2. 1. labor. Total staff time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours).
Top   ToC   RFC7970 - Page 51
      2.  elapsed.  Elapsed time from the beginning of the recovery to
          its completion (i.e., wall-clock time).

      3.  downtime.  Duration of time for which some provided service(s)
          was not available.

      4.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-metric
      Optional.  STRING.  A means by which to extend the metric
      attribute.  See Section 5.1.1.

   duration
      Optional.  ENUM.  Defines the unit of time for the value in the
      element content.  The default value is "hour".  These values are
      maintained in the "TimeImpact-duration" IANA registry per
      Section 10.2.

      1.  second.  The unit of the element content is seconds.

      2.  minute.  The unit of the element content is minutes.

      3.  hour.  The unit of the element content is hours.

      4.  day.  The unit of the element content is days.

      5.  month.  The unit of the element content is months.

      6.  quarter.  The unit of the element content is quarters.

      7.  year.  The unit of the element content is years.

      8.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-duration
      Optional.  STRING.  A means by which to extend the duration
      attribute.  See Section 5.1.1.
Top   ToC   RFC7970 - Page 52

3.12.4. MonetaryImpact Class

The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished productivity of the staff, or a tarnished reputation that will affect future opportunities. +------------------+ | MonetaryImpact | +------------------+ | REAL | | | | ENUM severity | | STRING currency | +------------------+ Figure 25: The MonetaryImpact Class The content of the class is of type REAL and specifies a quantity of money. The currency attribute defines the currency of this value. The attributes of the MonetaryImpact class are: severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity currency Optional. STRING. Defines the currency in which the value in the element content is expressed. The permitted values are defined in "Codes for the representation of currencies" [ISO4217]. There is no default value.
Top   ToC   RFC7970 - Page 53

3.12.5. Confidence Class

The Confidence class represents an estimate of the validity and accuracy of data expressed in the document. This estimate can be expressed as a category or a numeric calculation. +-------------------+ | Confidence | +-------------------+ | REAL | | | | ENUM rating | | STRING ext-rating | +-------------------+ Figure 26: The Confidence Class The content of the class is of type REAL and specifies a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element MUST be empty. The attributes of the Confidence class are: rating Required. ENUM. A qualitative assessment of confidence. These values are maintained in the "Confidence-rating" IANA registry per Section 10.2 1. low. Low confidence. 2. medium. Medium confidence. 3. high. High confidence. 4. numeric. The element content contains a number that conveys the confidence of the data. The semantics of this number is outside the scope of this specification. 5. unknown. The confidence rating value is not known. 6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-rating Optional. STRING. A means by which to extend the rating attribute. See Section 5.1.1.
Top   ToC   RFC7970 - Page 54

3.13. History Class

The History class is a log of the significant events or actions performed by the involved parties during the course of handling the incident. The level of detail maintained in this log is left up to the discretion of those handling the incident. +------------------------+ | History | +------------------------+ | ENUM restriction |<>--{1..*}--[ HistoryItem ] | STRING ext-restriction | +------------------------+ Figure 27: The History Class The aggregate classes of the History class are: HistoryItem One or more. An entry in the history log of significant events or actions performed by the involved parties. See Section 3.13.1. The attributes of the History class are: restriction Optional. ENUM. See Section 3.3.1. ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.

3.13.1. HistoryItem Class

The HistoryItem class is an entry in the History (Section 3.13) log that documents a particular action or event that occurred in the course of handling the incident. The details of the entry are a free-form text description, but each can be categorized with the type attribute.
Top   ToC   RFC7970 - Page 55
   +-------------------------+
   | HistoryItem             |
   +-------------------------+
   | ENUM action             |<>----------[ DateTime       ]
   | STRING ext-action       |<>--{0..1}--[ IncidentID     ]
   | ENUM restriction        |<>--{0..1}--[ Contact        ]
   | STRING ext-restriction  |<>--{0..*}--[ Description    ]
   | ID observable-id        |<>--{0..*}--[ DefinedCOA     ]
   |                         |<>--{0..*}--[ AdditionalData ]
   +-------------------------+

                     Figure 28: The HistoryItem Class

   The aggregate classes of the HistoryItem class are:

   DateTime
      One.  DATETIME.  A timestamp of this entry in the history log.

   IncidentID
      Zero or one.  In a history log created by multiple parties, the
      IncidentID provides a mechanism to specify which CSIRT created a
      particular entry and references this organization's tracking
      number.  When a single organization is maintaining the log, this
      class can be ignored.  See Section 3.4.

   Contact
      Zero or one.  Provides contact information for the entity that
      performed the action documented in this class.  See Section 3.9.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      action or event.

   DefinedCOA
      Zero or more.  STRING.  An identifier meaningful to the sender and
      recipient of this document that references a course of action
      (COA).  This class MUST be present if the action attribute is set
      to "defined-coa".

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.
Top   ToC   RFC7970 - Page 56
   The attributes of the HistoryItem class are:

   action
      Required.  ENUM.  Classifies a performed action or occurrence
      documented in this history log entry.  As activity will likely
      have been instigated either through a previously conveyed
      expectation or through an internal investigation, this attribute
      is identical to the action attribute of the Expectation class.
      The difference is only one of tense.  When an action is in this
      class, it has been completed.  See Section 3.15.

   ext-action
      Optional.  STRING.  A means by which to extend the action
      attribute.  See Section 5.1.1.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.
Top   ToC   RFC7970 - Page 57

3.14. EventData Class

The EventData class is a container class to organize data about events that occurred during an incident. +-------------------------+ | EventData | +-------------------------+ | ENUM restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..1}--[ DetectTime ] | ID observable-id |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ RecoveryTime ] | |<>--{0..1}--[ ReportTime ] | |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Discovery ] | |<>--{0..1}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Expectation ] | |<>--{0..1}--[ Record ] | |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ AdditionalData ] +-------------------------+ Figure 29: The EventData Class The aggregate classes of the EventData class are: Description Zero or more. ML_STRING. A free-form text description of the event. DetectTime Zero or one. DATETIME. The time the event was detected. StartTime Zero or one. DATETIME. The time the event started. EndTime Zero or one. DATETIME. The time the event ended. RecoveryTime Zero or one. DATETIME. The time the site recovered from the event. ReportTime Zero or one. DATETIME. The time the event was reported.
Top   ToC   RFC7970 - Page 58
   Contact
      Zero or more.  Contact information for the parties involved in the
      event.  See Section 3.9.

   Discovery
      Zero or more.  The means by which the event was detected.  See
      Section 3.10.

   Assessment
      Zero or one.  The impact of the event on the victim and the
      actions taken.  See Section 3.12.

   Method
      Zero or more.  The technique used by the threat actor in the
      event.  See Section 3.11.

   Flow
      Zero or more.  A description of the systems or networks involved.
      See Section 3.16.

   Expectation
      Zero or more.  The expected action to be performed by the
      recipient for the described event.  See Section 3.15.

   Record
      Zero or one.  Supportive data (e.g., log files) that provides
      additional information about the event.  See Section 3.22.

   EventData
      Zero or more.  A recursive definition of the EventData class.  See
      Section 3.14.2 for an explanation on using this class.

   AdditionalData
      Zero or more.  EXTENSION.  An extension mechanism for data not
      explicitly represented in the data model.

   At least one of the aggregate classes MUST be present in an instance
   of the EventData class.

   The attributes of the EventData class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.  The default value is
      "default".

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.
Top   ToC   RFC7970 - Page 59
   observable-id
      Optional.  ID.  See Section 3.3.2.

3.14.1. Relating the Incident and EventData Classes

There is substantial overlap in the child classes aggregated in the Incident and EventData classes. Nevertheless, the semantics of these classes are quite different. The Incident class provides summary information about the entire incident, while the EventData class provides information about the individual events comprising the incident. In the common case, the EventData class will provide more specific information for the general description provided in the Incident class. However, in the case where the summarized information in the Incident class conflicts with the detailed information in an EventData class, the more specific EventData class MUST supersede the more generic information provided in the Incident class.

3.14.2. Recursive Definition of EventData

The EventData class is a container for the properties of an event in an incident. These properties include: the hosts involved, impact of the incident activity on the hosts, forensic logs, etc. The recursive definition of EventData allows for the grouping of related information with common properties. This approach eliminates the need for explicit identifiers to relate information or duplicate it. Instead, the relative depth (nesting) of a class is used to group (relate) information. For example, consider a case where two hosts experience different impacts during an incident. However, these two hosts have common contact information. A depiction of how this situation would be represented can be found in Figure 30. EventData (2) and (3) group each of the two hosts with their unique impact. EventData (1) describes the common Contact class these two hosts share.
Top   ToC   RFC7970 - Page 60
   +------------------+
   | EventData (1)    |
   +------------------+
   |                  |<>----[ Contact    ]
   |                  |
   |                  |<>----[ EventData (2) ]<>----[ Flow       ]
   |                  |      [               ]<>----[ Assessment ]
   |                  |
   |                  |<>----[ EventData (3) ]<>----[ Flow       ]
   |                  |      [               ]<>----[ Assessment ]
   +------------------+

                Figure 30: Recursion in the EventData Class



(page 60 continued on part 4)

Next Section