Cybersecurity structured information

For the exchange of cybersecurity information to occur as messages between any two entities, it must be structured and described in some consistent manner that is understood by both of those entities. This section describes specifications that enable this exchange. The goal is to make it easier to share cybersecurity information that often includes "common enumerations," that is, ordered lists of well-established information values for the same data type. Common enumeration allows distributed databases and other capabilities to be linked together, and to facilitate the cybersecurity related comparisons.

[ed. Some existing specifications are simply identified; while others are being imported as X-series specifications. The choice of treatment has primarily to do with the degree of specialization of the “owning” user community and the globalization benefits derived by the importing. Generic vulnerability and incident specifications, for example, have broad applicability; while LEA information exchange specifications do not.]

These structured information capabilities are organized into several exchange “clusters” for distinct cybersecurity user groups and requirements. Identified needs include:

• Vulnerability/Mitigation Exchange Cluster
• Event/Incident/Heuristics Exchange Cluster
• LEA/Evidence Exchange Cluster
• Cybersecurity organization identity and trust
• Cybersecurity Heuristics and Information Request Cluster

In addition, these structured information capabilities have dependencies and other kinds of relationships including interoperability, are shown below.

Vulnerability/Mitigation Exchange Cluster

The following specifications are included as part of the framework for the purpose of exchanging vulnerability information or mitigating vulnerabilities. The cluster includes extensions of these specifications that are specific to applications such as SmartGrid and eHealth IT cybersecurity.

Rec. ITU-T X.cwe (document not available CWE - MITRE), Common Weakness Enumeration (CWE). Common Weakness Enumeration is an XML/XSD based specification for exchanging unified, measurable sets of software weaknesses that enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design.

Rec. ITU-T X.cwss (document not available CWSS - MITRE), Common Weakness Scoring System (CWSS). The Common Weakness Scoring System specification provides for an open framework for communicating the characteristics and impacts of software weakness.

Rec. ITU-T X.cve, Common Vulnerabilities and Exposures (CVE). Common Vulnerabilities and Exposures is an XML based specification for exchanging information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration." CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. As such, CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories.

The intention of CVE is to be comprehensive with respect to all publicly known vulnerabilities and exposures. While CVE is designed to contain mature information, the primary focus is on identifying vulnerabilities and exposures that are detected by security tools and any new problems that become public, and then addressing any older security problems that require validation.

Rec. ITU-T X.cvss, Common Vulnerability Scoring System (CVSS). The Common Vulnerability Scoring System specification provides for an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user's environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting a common language of scoring IT vulnerabilities.

Rec. ITU-T X.oval (document not available OVAL - MITRE ), Open Vulnerability and Assessment Language (OVAL). Open Vulnerability and Assessment Language is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language.

Three OVAL schemas written in Extensible Markup Language (XML) have been developed to serve as the framework and vocabulary of the OVAL Language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment.

Rec. ITU-T X.scap (document not available SCAP - NIST), Security Content Automation Protocol (SCAP). The Security Content Automation Protocol comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. This technical specification describes the requirements and conventions that are to be employed to ensure the consistent and accurate exchange of SCAP content and the ability of the content to reliably operate on SCAP validated tools. The initial version is comprised of the six specifications: XCCDF, OVAL, CPE, CCE, CVE, and CVSS. These specifications are grouped into three categories: languages, enumerations, and vulnerability measurement and scoring systems.

Rec. ITU-T X.xccdf (document not available XCCDF - NIST), eXensible Configuration Checklist Description Format (XCCDF). The eXtensible Configuration Checklist Description Format is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices. XCCDF documents are expressed in XML.

Rec. ITU-T X.cpe (document not available CPE - MITRE), Common Platform Enumeration (CPE).  Common Platform Enumeration is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.

Rec. ITU-T XX.cce (document not available CCE - MITRE), Common Configuration Enumeration (CCE).  Common Configuration Enumeration provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.

Rec. ITU-T X.crf (document not available CRF - MITRE), Common Result Format (CRF). Common Result Format is a standardized IT asset assessment result format that facilitates the exchange of assessment results among systems to increase tool interoperability and allow for the aggregation of those results across large enterprises that utilize diverse technologies to detect patch levels, policy compliance, vulnerability, asset inventory, and other tasks. CRF leverages existing standardization efforts for common names and naming schemes to report the findings for assets.

Event/Incident/Heuristics Exchange Cluster

The following specifications are included as part of the framework for the purpose of exchanging event, incident or heuristic information.

Rec. ITU-T X.cee (document not available CEE - MITRE), Common Event Expression (CEE). Common Event Expression standardizes the way computer events are described, logged, and exchanged. By using CEE’s common language and syntax, enterprise-wide log management, correlation, aggregation, auditing, and incident handling can be performed more efficiently and produce better results. The primary goal of the effort is to standardize the representation and exchange of logs from electronic systems. CEE breaks the recording and exchanging of logs into four (4) components: the event taxonomy, log syntax, log transport, and logging recommendations.

Rec. ITU-T X.iodef (document not available), Incident Object Description Exchange Format (IODEF). The Incident Object Description Exchange Format defines a data representation that provides a framework for the exchange of information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. This document describes the information model for the IODEF and provides an associated data model specified with XML Schema.

[ed. Check on IDM work and relevancy to exchange of IODEF messages.]

Rec. ITU-T X.capec (document not available CAPEC - MITRE), Common Attack Pattern Enumeration and Classification (CAPEC). CAPEC is an XML/XSD based specification for the identification, description, and enumeration of attack patterns. Attack patterns are a powerful mechanism to capture and communicate the attacker’s perspective. They are descriptions of common methods for exploiting software. They derive from the concept of design patterns applied in a destructive rather than constructive context and are generated from in-depth analysis of specific real-world exploit examples. The objective of CAPEC is to provide a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy.

Specific Event/Incident/Heuristics Exchange Cluster

The following specifications are included as part of the framework for the purpose of exchanging specialized event, incident or heuristic information.

Rec. ITU-T X.teef, Cyber Attack Tracing Event Exchange Format. The Cyber Attack Tracing Event Exchange Format defines a data representation that provides a framework for the exchange of information by Computer Security Incident Response Teams (CSIRTs) about the source and path of computer security incidents. This document describes the information model for TEEF and provides an associated data model specified with XML Schema.

Rec. ITU-T X.dpi (document not available - see Y.dpireq in the Appendix), Deep Packet Inspection Exchange Format. The Deep Packet Inspection Exchange Format defines a data representation that provides a framework for the exchange of information by Computer Security Incident Response Teams (CSIRTs) about the attributes of packet payloads associated with computer security incidents. This document describes the information model for DPI and provides an associated data model specified with XML Schema.

Rec. ITU-T X.pfoc (document not available), Phishing, Fraud, and Other Crimeware Exchange Format. The Phishing, Fraud, and Other Crimeware Exchange Format extends the Incident Object Description Exchange Format (IODEF) to support the reporting of phishing, fraud, other types of electronic crime. The extensions also support the exchange on information about widespread spam incidents. These extensions are flexible enough to support information gleaned from activities throughout the entire electronic fraud or spam cycle. Both simple reporting and complete forensic reporting are possible, as is consolidating multiple incidents.

[ed. Consider if newly created IEEE Computer Security Group (ICSG) for development of a Malware Exchange Format specification should be included in this section of X.cybex.]

Rec. ITU-T X.gridf (document not available), SmartGrid Incident Exchange Format.  The SmartGrid Incident Exchange Format defines a data representation that provides a framework for the exchange of information by Computer Security Incident Response Teams (CSIRTs) about the attributes of SmartGrid security incidents. This document describes the information model for SmartGrid Security Incident exchanges and provides an associated data model specified with XML Schema. Draft Terms of Reference for the Correspondence Group on ITU-T SmartGrid Security Activity

LEA/Evidence Exchange Cluster

The following specifications are included as part of the framework for the purpose of exchanging law enforcement authority or juridical evidence information exchange.

ETSI TS102232 (document not available), Handover Interface and Service-Specific Details (SSD) for IP delivery. The Handover Interface and Service-Specific Details (SSD) for IP delivery specification defines a data representation that provides a framework for the exchange of information between a network mediation point and a law enforcement facility to provide an array of different real time network forensics associated with a designated incident or event. This document describes the information model and provides an associated data model specified with ASN.1 modules.

ETSI TS102657 (document not available), Handover Interface for the Request and Delivery of Retained Data. The Handover Interface for the Request and Delivery of Retained Data specification defines a data representation that provides a framework for the exchange of information between a network mediation point and a law enforcement facility to provide an array of different stored network forensics associated with a designated incident or event. This document describes the information model and provides an associated data model specified with ASN.1 modules and XML schema.

IETF RFC3924, Architecture for Lawful Intercept in IP Networks.

The Architecture for Lawful Intercept in IP Networks specification defines a data representation that provides a framework for the exchange of information between a network access point and a provider mediation facility to provide an array of different real time network forensics associated with a designated incident or event. This document describes the information model and provides an associated data model specified with ASN.1 modules.

3GPP TS23.271 (document not available), Handover for Location Services. The Handover Interface for Location Services specification defines a data representation that provides a framework for the exchange of information between a network mediation point and an external facility to provide an real-time or stored location forensics associated with a network device. This document describes the information model and provides an associated data model specified with ASN.1 modules and XML schema.

EDRM (document not available), Electronic Discovery Reference Model. The Electronic Discovery Reference Model specification defines a data representation that provides a framework for the exchange of information between a network mediation point and a juridical designated party to request and provide an array of different stored network forensics associated with a designated incident or event. This document describes the information model and provides an associated data model specified with XML schema.

Rec. ITU-T X.dexf, Digital Evidence Exchange File Format. The Digital Evidence Exchange File Format specification defines tructures and data elements for structured digital evidence exchange file exchange. Electronic evidence means information and data of investigative value that is stored on or transmitted by electronic device. The primary purpose of digital evidence exchange file format is interoperability of digital forensic systems. It does not include any protection scheme.

Cybersecurity Heuristics and Information Request Cluster

The following specifications are included as part of the framework for the purpose of requesting cybersecurity heuristics and information.

Rec. ITU-T X.chirp (document not available), Cybersecurity Heuristics and Information Request Protocol. Cybersecurity Heuristics and Information Request Protocol defines a flexible data representation that provides a framework for requesting information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. This document describes the information model for CHIRP and provides an associated data model specified with XML Schema.