MILE Working GroupInternet Engineering Task Force (IETF) T. TakahashiInternet-DraftRequest for Comments: 7203 NICTIntended status:Category: Standards Track K. LandfieldExpires: July 18, 2014ISSN: 2070-1721 McAfeeT. Millar USCERTY. Kadobayashi NAISTJan 14,April 2014IODEF-extensionAn Incident Object Description Exchange Format (IODEF) Extension forstructured cybersecurity information draft-ietf-mile-sci-13.txtStructured Cybersecurity Information Abstract This document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070[RFC5070]to exchange enriched cybersecurity information among security experts at organizations andfacilitatesfacilitate their operations. It provides a well-defined pattern to consistently embed structured information, such as identifier- and XML-based information. Status ofthisThis Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 ofsix monthsRFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 18, 2014.http://www.rfc-editor.org/info/rfc7203. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3....................................................3 2. Terminology. . . . . . . . . . . . . . . . . . . . . . . . . 3.....................................................3 3. Applicability. . . . . . . . . . . . . . . . . . . . . . . . 4...................................................4 4. Extension Definition. . . . . . . . . . . . . . . . . . . . . 5............................................5 4.1. IANA Table for Structured Cybersecurity Information. . . 5........5 4.2. Extended Data Type: XMLDATA. . . . . . . . . . . . . . . 6................................6 4.3. Extending IODEF. . . . . . . . . . . . . . . . . . . . . 6............................................6 4.4. Basic Structure of the Extension Classes. . . . . . . . . 7...................8 4.5. Defining Extension Classes. . . . . . . . . . . . . . . . 9.................................9 4.5.1. AttackPattern. . . . . . . . . . . . . . . . . . . . 9.......................................9 4.5.2. Platform. . . . . . . . . . . . . . . . . . . . . . . 10...........................................10 4.5.3. Vulnerability. . . . . . . . . . . . . . . . . . . . 10......................................11 4.5.4. Scoring. . . . . . . . . . . . . . . . . . . . . . . 11............................................11 4.5.5. Weakness. . . . . . . . . . . . . . . . . . . . . . . 12...........................................12 4.5.6. EventReport. . . . . . . . . . . . . . . . . . . . . 13........................................13 4.5.7. Verification. . . . . . . . . . . . . . . . . . . . . 14.......................................14 4.5.8. Remediation. . . . . . . . . . . . . . . . . . . . . 15........................................15 5.Mandatory to Implement features . . . . . . . . . . . . . . . 15Mandatory-to-Implement Features ................................15 5.1. An Example XML. . . . . . . . . . . . . . . . . . . . . . 16Document ...................................16 5.2. An XML Schema for the Extension. . . . . . . . . . . . . 18...........................18 6. Security Considerations. . . . . . . . . . . . . . . . . . . 22........................................20 6.1. Transport-Specific Concerns. . . . . . . . . . . . . . . 22...............................20 6.2. Protection of Sensitive and Private Information. . . . . 23...........21 6.3. Application and Server Security. . . . . . . . . . . . . 24...........................22 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . 24............................................22 8.Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 26Acknowledgments ................................................24 9. References. . . . . . . . . . . . . . . . . . . . . . . . . . 26.....................................................24 9.1. Normative References. . . . . . . . . . . . . . . . . . . 26......................................24 9.2. Informative References. . . . . . . . . . . . . . . . . . 27 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29....................................26 1. Introduction The number of incidents in cyber society is growing day by day. Incident information needs to be reported, exchanged, and shared among organizations in order to cope with the situation. IODEF is one of the tools already in use that enables such an exchange. To more efficiently run security operations, information exchanged between organizations needs to be machine readable. IODEF provides a means to describe the incident information, but it often needs to include various non-structured types of incident-related data in order to convey more specific details about what is occurring. Further structure within IODEF increases the machine-readability of thedocumentdocument, thus providing a means for better automating certain security operations. Within the security community there exist various means for specifying structured descriptions of cybersecurityinformationinformation, such as[CAPEC][CCE][CCSS][CEE][CPE][CVE][CVRF][CVSS][CWE][CWSS][MAEC] [OCIL][OVAL][SCAP][XCCDF].[CAPEC], [CCE], [CCSS], [CEE], [CPE], [CVE], [CVRF], [CVSS], [CWE], [CWSS], [MAEC], [OCIL], [OVAL], [SCAP], and [XCCDF]. In this context, cybersecurity information encompasses a broad range of structured data representation types that may be used to assess or report on the security posture of an asset or set of assets. Such structured descriptionsfacilitatesfacilitate a better understanding of an incident while enabling more streamlined automated security operations. Because of this, it would be beneficial to embed and convey these types of information inside IODEF documents. This document extends IODEF to embed and convey various types of structured information. Since IODEF defines a flexible and extensible format and supports a granular level of specificity, this document defines an extension to IODEF instead of defining a new report format. For clarity, and to eliminate duplication, only the additional structures necessary for describing the exchange of such structured information are provided. 2. Terminology The terminology used in this document follows theoneterminology defined in RFC 5070 [RFC5070]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Applicability To maintain awareness of the continually changing security threat landscape,organization needsorganizations need to exchange cybersecurity information, which includes the following information: attack pattern, platform information, vulnerability and weakness, countermeasure instruction, computer event logs, and severity assessments. IODEF provides a scheme to describe and exchange such information among interested parties. However, it does not define the detailed formats to specify such information. There alreadyexistsexist structured and detailed formats for describing these types of information that can be used in facilitating such an exchange. They include[CAPEC][CCE][CCSS][CEE][CPE] [CVE][CVRF][CVSS][CWE][CWSS][MAEC][OCIL][OVAL][SCAP][XCCDF].[CAPEC], [CCE], [CCSS], [CEE], [CPE], [CVE], [CVRF], [CVSS], [CWE], [CWSS], [MAEC], [OCIL], [OVAL], [SCAP], and [XCCDF]. By embedding them into the IODEF document, the document can convey more detailed context information to the receivers, and the document can be easily reused. The use of formats for structured informationformatsfacilitates more advanced security operations on the receiver side. Since the information is machine readable, the data can be processed bycomputerscomputers, thus allowing better automation of security operations. For instance, an organization wishing to report a security incident wants to describe what vulnerability was exploited. In thiscasecase, the sender can simply use IODEF, where an XML-based [XML1.0] attack pattern record that follows the syntax and vocabulary defined by an industry specification is embedded, instead of describing everything infree formfree-form text. The receiver can identify the needed details of the attack pattern by looking up some of the XML tags defined by the specification. The receiver can accumulate the attack pattern record in its database and could distribute it to the interested parties as needed, all without requiring humaninterventions.intervention. In another example, an administrator is investigating an incident and has detected a configuration problem that he wishes to share with a partner organization to prevent the same event fromoccurring. He accessesoccurring at the partner organization. To confirm that the configurationinformationwas in fact vulnerable, he uses an internal repository to access configuration information that was gathered prior to the initial attack and that is specific to a new vulnerabilityalert to confirm the configuration was in fact vulnerable.alert. He uses this information to automatically generate an XML-based software configuration description, embed it in an IODEF document, and send the resulting IODEF document to the partner organization. 4. Extension Definition This document extends IODEF to embed structured information by introducing new classes that can be embedded consistently inside an IODEF document as element contents of the AdditionalData and RecordItemclasses.classes [RFC5070]. 4.1. IANA Table for Structured Cybersecurity Information This extension embeds structured cybersecurity information (SCI) defined by other specifications. The list of supported specifications is managed by IANA, and this document defines the needed fields for the list's entry. Each entry for each specification has the namespace [XMLNames], specification name, version, reference URI, and applicableclasses for each specification.classes. Arbitrary URIs that may help readerstounderstand the specification could be embedded inside the Reference URI field, but it is recommended that a standard/informational URI describing the specificationisbe prepared andisembedded here. The initial IANA table has only one entry, asbelow.follows: Namespace: urn:ietf:params:xml:ns:mile:mmdef:1.2 Specification Name: Malware Metadata Exchange Format Version: 1.2 Reference URI:http://standards.ieee.org/develop /indconn/icsg/mmdef.html, http://grouper.ieee.org/groups /malware/malwg/Schema1.2/<http://standards.ieee.org/develop /indconn/icsg/mmdef.html>, <http://grouper.ieee.org/groups /malware/malwg/Schema1.2/> Applicable Classes: AttackPattern Note that the specification was developed by The Institute of Electrical and Electronics Engineers, Incorporated (IEEE), through the Industry Connections Security Group (ICSG) of its Standards Association. The table isto bemanaged byIANAIANA, following the allocation policy specified in Section 7. The SpecID attributes of extension classes (Section 4.5) must allow the values of the specifications' namespace fields, butotherwise,implementations are otherwise not required to support all specifications of the IANA table and may choose which specifications tosupport, thoughsupport. However, at a minimum, the specification listed in the initial IANA table needs to beminimallysupported, as described in Section 5.In caseIf an implementation receivedadata that it does not support, it may expand its functionality by looking up the IANA table or notify the sender of its inability to parse the data. Note that thelook-uplookup could be done manually or automatically, but automatic download of data from IANA's website is notrecommendedrecommended, since it is not designed for mass retrieval of data by multiple devices. 4.2. Extended Data Type: XMLDATA This extension inherits all of the data types defined in the IODEF data model. One data type is added: XMLDATA.An embeddedEmbedded XML data is represented by the XMLDATA data type. This type is defined as the extension to the iodef:ExtensionType [RFC5070], whose dtype attribute is set to "xml". 4.3. Extending IODEF This document defines eight extension classes, namely AttackPattern, Platform, Vulnerability, Scoring, Weakness, EventReport,VerificationVerification, and Remediation. Figure 1 describes the relationships between the IODEF Incident class [RFC5070] and the newly defined classes. It is expressed in Unified Modeling Language (UML) syntaxas with theper RFC 5070 [RFC5070]. The UML representation is for illustrative purposes only; elements are specified in XML as defined in Section 5.2. +---------------+ | Incident | +---------------+ | ENUM purpose |<>---------[IncidentID] | STRING |<>--{0..1}-[AlternativeID] | ext-purpose |<>--{0..1}-[RelatedActivity] | ENUM lang |<>--{0..1}-[DetectTime] | ENUM |<>--{0..1}-[StartTime] | restriction |<>--{0..1}-[EndTime] | |<>---------[ReportTime] | |<>--{0..*}-[Description] | |<>--{1..*}-[Assessment] | |<>--{0..*}-[Method] | | |<>--{0..*}-[AdditionalData] | | |<>--{0..*}-[AttackPattern] | | |<>--{0..*}-[Vulnerability] | | |<>--{0..*}-[Weakness] | |<>--{1..*}-[Contact] | |<>--{0..*}-[EventData] | | |<>--{0..*}-[Flow] | | | |<>--{1..*}-[System] | | | |<>--{0..*}-[AdditionalData] | | | |<>--{0..*}-[Platform] | | |<>--{0..*}-[Expectation] | | |<>--{0..1}-[Record] | | |<>--{1..*}-[RecordData] | | |<>--{1..*}-[RecordItem] | | |<>--{0..*}-[EventReport] | |<>--{0..1}-[History] | |<>--{0..*}-[AdditionalData] | | |<>--{0..*}-[Verification] | | |<>--{0..*}-[Remediation] +---------------+ Figure 1: IncidentclassClass 4.4. Basic Structure of the Extension Classes Figure 2 shows the basic structure of the extension classes. Some of the extension classes have extra elements as defined in Section 4.5, but the basic structure is the same. +---------------------+ | New Class Name | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | STRING ContentID | +---------------------+ Figure 2: Basic Structure Three attributes are defined asbelow.indicated below: SpecID: REQUIRED. ENUM. A specification's identifier that specifies the format ofastructured information. The value should be chosen from the namespaces [XMLNames] listed in the IANA table (Section 4.1) or "private". The value "private" is prepared for conveying structured information based on a format that is not listed in the table. This is usually used for conveying data formatted according to an organization's private schema. When the value "private" is used, ext-SpecID element MUST be used. ext-SpecID: OPTIONAL. STRING. A specification's identifier that specifies the format ofastructured information. This is usually used to support a private schema that is not listed in the IANA table (Section 4.1). This attribute MUST be used only when the value of the SpecID element is "private." ContentID: OPTIONAL. STRING. An identifier ofastructured information. Depending on the extension classes, the content of the structured information differs. This attribute enables IODEF documents tocoveyconvey the identifier ofathe structured information instead of conveying the information itself. Likewise,threetwo elements are defined asbelow.indicated below: RawData: Zero or more. XMLDATA. An XML document ofastructured information. This is a complete document that is formatted according to the specification and its version identified by the SpecID/ext-SpecID. When this element is used, writers/senders MUST ensure that the namespace specified by SpecID/ext-SpecID and the schema of the XML are consistent; if not, the namespace identified by SpecID SHOULD be preferred, and the inconsistency SHOULD be logged so a human can correct the problem. Reference: Zero or more of iodef:Reference [RFC5070]. A reference toastructured information. This element allows an IODEF document to include a link toastructured information instead of directly embedding it into a RawData element. ThoughContentID, RawData,ContentID is an optional attribute, and RawData and Reference are optionalattribute andelements, one of them MUST be used to convey structured information. Notethatthat, in order to avoid confusing the receiver, only one of them SHOULD beused to avoid confusing the receiver.used. 4.5. Defining Extension Classes This document definesthe following seveneight extensionclasses.classes, as described in the subsections that follow. 4.5.1. AttackPattern An AttackPattern is an extension class to the Incident.Method.AdditionalData element with a dtype of "xml". It describes attack patterns of incidents or events. It is RECOMMENDED that the Method class [RFC5070] contain the extension elements whenever available. An AttackPattern class is structured asfollows.follows: +---------------------+ | AttackPattern | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | STRING ContentID |<>--(0..*)-[ Platform ] +---------------------+ Figure 3: AttackPatternclassClass This class has the followingattributes.attributes: SpecID: REQUIRED. ENUM. See Section 4.4. ext-SpecID: OPTIONAL. STRING. See Section 4.4. ContentID: OPTIONAL. STRING. An identifier ofanattack pattern information. See Section 4.4. Likewise, this class has the followingelements.elements: RawData: Zero or more. XMLDATA. An XML document ofanattack pattern information. See Section 4.4. Reference: Zero or more. A reference toanattack pattern information. See Section 4.4. Platform: Zero or more. An identifier of the software platform involved in the specific attack pattern. See Section 4.5.2. 4.5.2. Platform A Platform is an extension class that identifies a software platform. It is RECOMMENDED that the AttackPattern, Vulnerability, Weakness, and System [RFC5070] classes contain the extension elements whenever available. A Platform element is structured asfollows.follows: +---------------------+ | Platform | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | STRING ContentID | +---------------------+ Figure 4: PlatformclassClass This class has the followingattributes.attributes: SpecID: REQUIRED. ENUM. See Section 4.4. ext-SpecID: OPTIONAL. STRING. See Section 4.4. ContentID: OPTIONAL. STRING. An identifier ofaplatform information. See Section 4.4. Likewise, this class has the followingelements.elements: RawData: Zero or more. XMLDATA. An XML document ofaplatform information. See Section 4.4. Reference: Zero or more. A reference toaplatform information. See Section 4.4. 4.5.3. Vulnerability A Vulnerability is an extension class to the Incident.Method.AdditionalData element with a dtype of "xml". The extension describes the vulnerabilities that are exposed or were exploited in incidents. It is RECOMMENDED that the Method class contain the extension elements whenever available. A Vulnerability element is structured asfollows.follows: +---------------------+ | Vulnerability | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | STRING ContentID |<>--(0..*)-[ Platform ] | |<>--(0..*)-[ Scoring ] +---------------------+ Figure 5: VulnerabilityclassClass This class has the followingattributes.attributes: SpecID: REQUIRED. ENUM. See Section 4.4. ext-SpecID: OPTIONAL. STRING. See Section 4.4. ContentID: OPTIONAL. STRING. An identifier ofavulnerability information. See Section 4.4. Likewise, this class has the followingelements.elements: RawData: Zero or more. XMLDATA. An XML document ofavulnerability information. See Section 4.4. Reference: Zero or more. A reference toavulnerability information. See Section 4.4. Platform: Zero or more. An identifier of the software platform affected by the vulnerability. See Section 4.5.2. Scoring: Zero or more. An indicator of the severity of the vulnerability. See Section 4.5.4. 4.5.4. Scoring A Scoring is an extension class that describes the severity scores in terms of security. It is RECOMMENDED that the Vulnerability and Weakness classes contain the extension elements whenever available. A Scoring class is structured asfollows.follows: +---------------------+ | Scoring | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | STRING ContentID | +---------------------+ Figure 6: ScoringclassClass This class hastwo attributes.the following attributes: SpecID: REQUIRED. ENUM. See Section 4.4. ext-SpecID: OPTIONAL. STRING. See Section 4.4. ContentID: OPTIONAL. STRING. An identifier of a score set. See Section 4.4. Likewise, this class has the followingelements.elements: RawData: Zero or more. XMLDATA. An XML document of a score set. See Section 4.4. Reference: Zero or more. A reference to a score set. See Section 4.4. 4.5.5. Weakness A Weakness is an extension class to the Incident.Method.AdditionalData element with a dtype of "xml". The extension describes the weakness types that are exposed or were exploited in incidents. It is RECOMMENDED that the Method class contain the extension elements whenever available. A Weakness element is structured asfollows.follows: +---------------------+ | Weakness | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | STRING ContentID |<>--(0..*)-[ Platform ] | |<>--(0..*)-[ Scoring ] +---------------------+ Figure 7: WeaknessclassClass This class has the followingattributes.attributes: SpecID: REQUIRED. ENUM. See Section 4.4. ext-SpecID: OPTIONAL. STRING. See Section 4.4. ContentID: OPTIONAL. STRING. An identifier ofaweakness information. See Section 4.4. Likewise, this class has the followingelements.elements: RawData: Zero or more. XMLDATA. An XML document ofaweakness information. See Section 4.4. Reference: Zero or more. A reference toaweakness information. See Section 4.4. Platform: Zero or more. An identifier of the software platform affected by the weakness. See Section 4.5.2. Scoring: Zero or more. An indicator of the severity of the weakness. See Section 4.5.4. 4.5.6. EventReport An EventReport is an extension class to the Incident.EventData.Record.RecordData.RecordItem element with a dtype of "xml". The extension embeds structured event reports. It is RECOMMENDED that the RecordItem class contain the extension elements whenever available. An EventReport element is structured asfollows.follows: +---------------------+ | EventReport | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | STRING ContentID | +---------------------+ Figure 8: EventReportclassClass This class has the followingattributes.attributes: SpecID: REQUIRED. ENUM. See Section 4.4. ext-SpecID: OPTIONAL. STRING. See Section 4.4. ContentID: OPTIONAL. STRING. An identifier of an event report. See Section 4.4. Likewise, this class has the followingelements.elements: RawData: Zero or more. XMLDATA. An XML document of an event report. See Section 4.4. Reference: Zero or more. A reference to an event report. See Section 4.4. 4.5.7. Verification A Verification is an extension class to the Incident.AdditionalData element with a dtype of "xml". The extension elementsdescribesdescribe information on verifying security, e.g., a checklist, to cope with incidents. It is RECOMMENDED that the Incident class contain the extension elements whenever available. A Verification class is structured asfollows.follows: +---------------------+ | Verification | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | STRING ContentID | +---------------------+ Figure 9: VerificationclassClass This class has the followingattributes.attributes: SpecID: REQUIRED. ENUM. See Section 4.4. ext-SpecID: OPTIONAL. STRING. See Section 4.4. ContentID: OPTIONAL. STRING. An identifier ofaverification information. See Section 4.4. Likewise, this class has the followingelements.elements: RawData: Zero or more. XMLDATA. An XML document ofaverification information. See Section 4.4. Reference: Zero or more. A reference toaverification information. See Section 4.4. 4.5.8. Remediation A Remediation is an extension class to the Incident.AdditionalData element with a dtype of "xml". The extension elementsdescribesdescribe incident remediationinformationinformation, including instructions. It is RECOMMENDED that the Incident class contain the extension elements whenever available. A Remediation class is structured asfollows.follows: +---------------------+ | Remediation | +---------------------+ | ENUM SpecID |<>--(0..*)-[ RawData ] | STRING ext-SpecID |<>--(0..*)-[ Reference ] | String ContentID | +---------------------+ Figure 10: RemediationclassClass This class has the followingattributes.attributes: SpecID: REQUIRED. ENUM. See Section 4.4. ext-SpecID: OPTIONAL. STRING. See Section 4.4. ContentID: OPTIONAL. STRING. An identifier ofaremediation information. See Section 4.4. Likewise, this class has the followingelements.elements: RawData: Zero or more. XMLDATA. An XML document ofaremediation information. See Section 4.4. Reference: Zero or more. A reference toaremediation information. See Section 4.4. 5.Mandatory to Implement features The implementation ofMandatory-to-Implement Features Implementations compliant with this document MUST be capable of sending and receiving the extended IODEF documents that contain XML documents conforming to the specification listed in the initial IANA table described in Section 4.1 without error.An SCIThe extended IODEF document is an XML document that MUST be well-formed and MUST be valid according to schemata, including extension schemata, available to the validator and applicable to the XML document. Note that the receiver can look up the namespace in the IANA table to understand what specifications the embedded XML documentsfollows.follow. For the purpose of facilitating the understanding ofmandatory tomandatory-to- implement features, the following subsections provide an XML document conformant to thisdocument,memo, and aschema for that.corresponding schema. 5.1. An Example XML Document An example IODEF document for checking an implementation'sMTIconformity with mandatory-to-implement features is provided here. The document carriesMMDEFMalware Metadata Exchange Format (MMDEF) metadata. Note that the metadata is generated by genMMDEF [MMDEF] with EICAR [EICAR] files. Due to the limit of 72 characters per line, some line breaks were added in this example. <?xml version="1.0" encoding="UTF-8"?> <IODEF-Document version="1.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0"xmlns:iodef-sci="urn:ietf:params:xml:ns:iodef-sci-1.0"xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Incident purpose="reporting"> <IncidentIDname="iodef-sci.example.com">189493</IncidentID>name="sci.example.com">189493</IncidentID> <ReportTime>2013-06-18T23:19:24+00:00</ReportTime> <Description>a candidate security incident</Description> <Assessment> <Impact completion="failed" type="admin" /> </Assessment> <Method> <Description>A candidate attack event</Description> <AdditionalData dtype="xml"><iodef-sci:AttackPattern SpecID="http://xml/metadataSharing.xsd"> <iodef-sci:RawData<sci:AttackPattern SpecID= "urn:ietf:params:xml:ns:mile:mmdef:1.2"> <sci:RawData dtype="xml"> <malwareMetaData xmlns="http://xml/metadataSharing.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xml/metadataSharing.xsd file:metadataSharing.xsd" version="1.200000" id="10000"> <company>N/A</company> <author>MMDEF Generation Script</author> <comment>Test MMDEF v1.2 file generated using genMMDEF </comment> <timestamp>2013-03-23T15:12:50.726000</timestamp> <objects> <file id="6ce6f415d8475545be5ba114f208b0ff"> <md5>6ce6f415d8475545be5ba114f208b0ff</md5> <sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</sha1><sha256>e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca4 95991b7852b855</sha256> <sha512>cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83 f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b9 31bd47417a81a538327af927da3e</sha512><sha256>e3b0c44298fc1c149afbf4c8996fb92427ae41e464 9b934ca495991b7852b855</sha256> <sha512>cf83e1357eefb8bdf1542850d66d8007d620e4050b 5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff83 18d2877eec2f63b931bd47417a81a538327af927 da3e</sha512> <size>184</size> <filename>eicar_com.zip</filename> <MIMEType>application/zip</MIMEType> </file> <file id="44d88612fea8a8f36de82e1278abb02f"> <md5>44d88612fea8a8f36de82e1278abb02f</md5> <sha1>3395856ce81f2b7382dee72602f798b642f14140</sha1><sha256>275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4 538aabf651fd0f</sha256> <sha512>cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e 68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0 dc9a061d9e507d833277ada336ab</sha512><sha256>275a021bbfb6489e54d471899f7db9d1663fc695ec 2fe2a2c4538aabf651fd0f</sha256> <sha512>cc805d5fab1fd71a4ab352a9c533e65fb2d5b88551 8f4e565e68847223b8e6b85cb48f3afad842726d99 239c9e36505c64b0dc9a061d9e507d833277ada3 36ab</sha512> <size>68</size> <crc32>1750191932</crc32> <filename>eicar.com</filename> <filenameWithinInstaller>eicar.com </filenameWithinInstaller> </file> </objects> <relationships> <relationship type="createdBy" id="1"> <source><ref>file[@id="6ce6f415d8475545be5ba114f208b0ff"]</ref><ref>file[@id="6ce6f415d8475545be5ba114f208b0ff"] </ref> </source> <target><ref>file[@id="44d88612fea8a8f36de82e1278abb02f"]</ref><ref>file[@id="44d88612fea8a8f36de82e1278abb02f"] </ref> </target> <timestamp>2013-03-23T15:12:50.744000</timestamp> </relationship> </relationships> </malwareMetaData></iodef-sci:RawData> </iodef-sci:AttackPattern></sci:RawData> </sci:AttackPattern> </AdditionalData> </Method> <Contact role="creator" type="organization"><ContactName>iodef-sci.example.com</ContactName><ContactName>sci.example.com</ContactName> <RegistryHandleregistry="arin">iodef-sci.example-comregistry="arin">sci.example-com </RegistryHandle> <Email>contact@csirt.example.com</Email> </Contact> <EventData> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.200</Address> <Counter type="event">57</Counter> </Node> </System> <System category="target"> <Node> <Address category="ipv4-net">192.0.2.16/28</Address> </Node> <Service ip_protocol="4"> <Port>80</Port> </Service> </System> </Flow> <Expectation action="block-host" /> <Expectation action="other" /> </EventData> </Incident> </IODEF-Document> 5.2. An XML Schema for the Extension An XML schema describing the elements defined in this document is given here. <?xml version="1.0" encoding="UTF-8"?> <xsd:schema targetNamespace="urn:ietf:params:xml:ns:iodef-sci-1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0"xmlns:iodef-sci="urn:ietf:params:xml:ns:iodef-sci-1.0"xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xsd:import namespace="urn:ietf:params:xml:ns:iodef-1.0"schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"/>schemaLocation= "http://www.iana.org/assignments/xml-registry/schema/iodef-1.0.xsd"/> <xsd:complexType name="XMLDATA"> <xsd:complexContent> <xsd:restriction base="iodef:ExtensionType"> <xsd:sequence> <xsd:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="dtype" type="iodef:dtype-type" use="required" fixed="xml"/> <xsd:attribute name="ext-dtype" type="xsd:string"use="optional"/>use="prohibited"/> <xsd:attribute name="meaning" type="xsd:string"/> <xsd:attribute name="formatid" type="xsd:string"/> <xsd:attribute name="restriction" type="iodef:restriction-type"/> </xsd:restriction> </xsd:complexContent> </xsd:complexType><xsd:element name="Scoring"> <xsd:complexType> <xsd:sequence> <xsd:choice> <xsd:element name="ScoreSet" type="iodef-sci:XMLDATA" minOccurs="0" maxOccurs="unbounded"/> <xsd:element ref="iodef:Reference" minOccurs="0" maxOccurs="unbounded"/> </xsd:choice> </xsd:sequence> <xsd:attribute name="SpecID" type="xsd:string" use="required"/> <xsd:attribute name="ext-SpecID" type="xsd:string" use="optional"/> <xsd:attribute name="ContentID" type="xsd:string" use="optional"/> </xsd:complexType> </xsd:element> <xsd:element name="AttackPattern"> <xsd:complexType> <xsd:sequence> <xsd:choice> <xsd:element name="RawData" type="iodef-sci:XMLDATA" minOccurs="0" maxOccurs="unbounded"/> <xsd:element ref="iodef:Reference" minOccurs="0" maxOccurs="unbounded"/> </xsd:choice> <xsd:element ref="iodef-sci:Platform" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="SpecID" type="xsd:string" use="required"/> <xsd:attribute name="ext-SpecID" type="xsd:string" use="optional"/> <xsd:attribute name="ContentID" type="xsd:string" use="optional"/> </xsd:complexType> </xsd:element> <xsd:element name="Vulnerability"> <xsd:complexType><xsd:complexType name="BasicStructure"> <xsd:sequence> <xsd:choice> <xsd:element name="RawData"type="iodef-sci:XMLDATA"type="sci:XMLDATA" minOccurs="0" maxOccurs="unbounded"/> <xsd:element ref="iodef:Reference" minOccurs="0" maxOccurs="unbounded"/> </xsd:choice><xsd:element ref="iodef-sci:Platform" minOccurs="0" maxOccurs="unbounded"/> <xsd:element ref="iodef-sci:Scoring" minOccurs="0" maxOccurs="unbounded"/></xsd:sequence> <xsd:attribute name="SpecID" type="xsd:string" use="required"/> <xsd:attribute name="ext-SpecID"type="xsd:string" use="optional"/>type="xsd:string"/> <xsd:attribute name="ContentID"type="xsd:string" use="optional"/>type="xsd:string"/> </xsd:complexType></xsd:element> <xsd:element name="Weakness"> <xsd:complexType> <xsd:sequence> <xsd:choice><xsd:elementname="RawData" type="iodef-sci:XMLDATA" minOccurs="0" maxOccurs="unbounded"/>name="Scoring" type="sci:BasicStructure"/> <xsd:elementref="iodef:Reference" minOccurs="0" maxOccurs="unbounded"/> </xsd:choice>name="Platform" type="sci:BasicStructure"/> <xsd:elementref="iodef-sci:Platform" minOccurs="0" maxOccurs="unbounded"/> <xsd:element ref="iodef-sci:Scoring" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="SpecID" type="xsd:string" use="required"/> <xsd:attribute name="ext-SpecID" type="xsd:string" use="optional"/> <xsd:attribute name="ContentID" type="xsd:string" use="optional"/> </xsd:complexType> </xsd:element>name="EventReport" type="sci:BasicStructure"/> <xsd:elementname="Platform"> <xsd:complexType> <xsd:sequence> <xsd:choice>name="Verification" type="sci:BasicStructure"/> <xsd:elementname="RawData" type="iodef-sci:XMLDATA" minOccurs="0" maxOccurs="unbounded"/>name="Remediation" type="sci:BasicStructure"/> <xsd:elementref="iodef:Reference" minOccurs="0" maxOccurs="unbounded"/> </xsd:choice> </xsd:sequence> <xsd:attribute name="SpecID" type="xsd:string" use="required"/> <xsd:attribute name="ext-SpecID" type="xsd:string" use="optional"/> <xsd:attribute name="ContentID" type="xsd:string" use="optional"/> </xsd:complexType> </xsd:element> <xsd:element name="EventReport">name="AttackPattern"> <xsd:complexType><xsd:sequence> <xsd:choice> <xsd:element name="RawData" type="iodef-sci:XMLDATA" minOccurs="0" maxOccurs="unbounded"/><xsd:complexContent> <xsd:extension base="sci:BasicStructure"> <sequence> <xsd:elementref="iodef:Reference"ref="sci:Platform" minOccurs="0" maxOccurs="unbounded"/></xsd:choice> </xsd:sequence> <xsd:attribute name="SpecID" type="xsd:string" use="required"/> <xsd:attribute name="ext-SpecID" type="xsd:string" use="optional"/> <xsd:attribute name="ContentID" type="xsd:string" use="optional"/></sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:elementname="Verification">name="Vulnerability"> <xsd:complexType><xsd:sequence> <xsd:choice><xsd:complexContent> <xsd:extension base="sci:BasicStructure"> <sequence> <xsd:elementname="RawData" type="iodef-sci:XMLDATA"ref="sci:Platform" minOccurs="0" maxOccurs="unbounded"/> <xsd:elementref="iodef:Reference"ref="sci:Scoring" minOccurs="0" maxOccurs="unbounded"/></xsd:choice> </xsd:sequence> <xsd:attribute name="SpecID" type="xsd:string" use="required"/> <xsd:attribute name="ext-SpecID" type="xsd:string" use="optional"/> <xsd:attribute name="ContentID" type="xsd:string" use="optional"/></sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:elementname="Remediation">name="Weakness"> <xsd:complexType><xsd:sequence> <xsd:choice><xsd:complexContent> <xsd:extension base="sci:BasicStructure"> <sequence> <xsd:elementname="RawData" type="iodef-sci:XMLDATA"ref="sci:Platform" minOccurs="0" maxOccurs="unbounded"/> <xsd:elementref="iodef:Reference"ref="sci:Scoring" minOccurs="0"maxOccurs="unbounded"/> </xsd:choice> </xsd:sequence> <xsd:attribute name="SpecID" type="xsd:string" use="required"/> <xsd:attribute name="ext-SpecID" type="xsd:string" use="optional"/> <xsd:attribute name="ContentID" type="xsd:string" use="optional"/>maxOccurs="unbounded"/> </sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> </xsd:schema> 6. Security Considerations This document specifies a format for encoding a particular class of security incidents appropriate for exchange across organizations. As merely a data representation, it does not directly introduce security issues. However, it is guaranteed that parties exchanging instances of this specification will have certain concerns. For this reason, the underlying message format and transport protocol used MUST ensure the appropriate degree of confidentiality, integrity, and authenticity for the specific environment. Specific security considerations are detailed in the messaging and transport documents, where the exchange of formatted information isautomated. See Real- timeautomated; see Sections 9 and 10 of "Real-time Inter-network Defense(RID)(RID)" [RFC6545] and Section94 of "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS" [RFC6546] for a detailed overview of security requirements and considerations. It is RECOMMENDED that organizationswhothat exchange data using this document develop operating procedures thatminimally considerconsider, at a minimum, the following areas of concern. 6.1. Transport-Specific Concerns The underlying messaging format, IODEF, provides data markers to indicate the sensitivity level of specific classes within the structure as well as for the entire XML document. The "restriction" attribute accomplishes this with four attribute values inIODEF.IODEF [RFC5070]. These values are RECOMMENDED for use at the application level, prior to transport, to protect data as appropriate. A standard mechanism to apply XML encryption using these attribute values as triggers is defined in RID[RFC6545][RFC6545], Section 9.1. This mechanism may be used whether or not the RID protocol [RFC6545] andRID Transportits associated transport binding [RFC6546] are used in the exchange to provideobject levelobject-level security on the data to prevent possible intermediary systems ormiddle-boxesmiddleboxes from having access to the data being exchanged. In areas where transmission security or secrecy is questionable, the application ofaan XML digital signature[xmldsig][XMLDSIG] and/or encryption on each report will counteract both of these concerns. The data markers are RECOMMENDED for use by applications for managing accesscontrols, howevercontrols; however, access controls and management of those controls areout-of-scopeout of scope for this document. Options such as the usage of a standard language(e.g. XACML(e.g., eXtensible Access Control Markup Language [XACML]) for the expression of authorization policies can be used to enable source and destination systems to better coordinate and align their respective policy expressions. Any transport protocol used to exchange instances of IODEF documents MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The RID protocol [RFC6545] and its associated transport binding [RFC6546] provide such security with options for mutual authentication session encryption and includeapplication levelsapplication-level concerns such as policy andwork flow.workflow. The critical security concerns are thatthesestructured information may be falsified, accessed by unintended entities, orthey maybecome corrupt during transit. We expect that each exchanging organization will determine the need, and mechanism, for transport protection. 6.2. Protection of Sensitive and Private Information For a complete review of privacy considerations when transportingincident relatedincident-related information, please see RID[RFC6545][RFC6545], Section 9.5. Whether or not the RID protocol is used, the privacy considerations are important toconsiderconsider, as incident information is often sensitive and may containprivacy relatedprivacy-related information about individuals/ organizations or endpoints involved.Often times, organizationsOrganizations will often require the establishment of legalreviewreviews and formalpolices to be established whichpolicies that outline specific details of what information can be exchanged with specific entities. Typically, identifying information is anonymized where possible and appropriate. In some cases, information brokers are used to further anonymize the source of exchanged information so that other entities are unaware of the origin of a detected threat, whether or not that threat was realized. It is RECOMMENDED that policies and procedures for the exchange of cybersecurity informationarebe established prior to participation in data exchanges. Policy and workflow procedures for the exchange of cybersecurity information often requireexecutive levelexecutive-level approvals and legal reviews to appropriately establish limits on what information can be exchanged with specific organizations. RID[RFC6545][RFC6545], Section 9.6 outlines options and considerations for application developers to consider forthepolicy and workflow design. 6.3. Application and Server Security TheCybersecurity Informationcybersecurity information extension is merely a data format. Applications and transport protocols that store or exchange IODEF documents using information that can be represented through this extension will be a target for attacks. It is RECOMMENDED that systems and applications storing or exchanging this informationarebe properly secured, have minimal services enabled, and maintain access controls and monitoring procedures. 7. IANA Considerations This document uses URNs to describe XML namespaces and XML schemata [XMLschemaPart1] [XMLschemaPart2] conforming to a registry mechanism described in [RFC3688].Registration request for theThe following IODEF structured cybersecurity information extensionnamespace:namespace has been registered: URI: urn:ietf:params:xml:ns:iodef-sci-1.0 Registrant Contact: Referhereto theauthors' addressesAuthors' Addresses section ofthethis document. XML: None.Registration request for theThe following IODEF structured cybersecurity information extension XMLschema:schema has been registered: URI: urn:ietf:params:xml:schema:iodef-sci-1.0 Registrant Contact: Referhereto theauthors' addressesAuthors' Addresses section ofthethis document. XML: Referhereto the XMLSchemaschema in Section5.2.5.2 of this document. This memo creates the followingregistry for IANA to manage:registry, which is managed by IANA: Name of the registry: "Structured Cybersecurity Information (SCI)specifications"Specifications" Name of its parent registry: "Incident Object Description Exchange Format (IODEF)" URLaddressof the registry:http://www.iana.org/assignments/iodef<http://www.iana.org/assignments/iodef> Namespace details: A registry entry for a Structured Cybersecurity Information Specification (SCI specification) consists of: Namespace: A URI [RFC3986] that identifies the XML namespace used by the registered SCI specification. In the case where the registrant does not request a particular URI, the IANA will assign it a Uniform Resource Name (URN) that follows RFC 3553[RFC3553][RFC3553]. Specification Name: A string containing the spelled-out name of the SCI specification in human-readable form. Reference URI: A list of one or more of the URIs [RFC3986] from which the registered specification can be obtained. The registered specification MUST be readily and publicly available from that URI. Applicable Classes: A list of one or more of the extension classes specified in Section 4.5 of this document. The registered SCI specification MUST only be used with the extension classes in the registry entry. Information that must be provided to assign a new value: The above list of information. Fields to record in the registry: Namespace/Specification Name/ Version/Reference URI/Applicable Classes. Note that it is not necessary to include a defining reference for all assignments in this new registry. Initial registry contents:onlyOnly oneentryentry, with the followingvalues.values: Namespace:urn:ietf:params:xml:ns:mile:mmdef:1.0urn:ietf:params:xml:ns:mile:mmdef:1.2 Specification Name: Malware Metadata Exchange Format Version: 1.2 Reference URI:http://standards.ieee.org/develop/indconn/icsg/ mmdef.html,http://grouper.ieee.org/groups/malware/malwg/ Schema1.2/<http://standards.ieee.org/develop/indconn/icsg/mmdef.html>, <http://grouper.ieee.org/groups/malware/malwg/Schema1.2/> Applicable Classes: AttackPattern AllocationPolicy:policy: Specification Required (which includes Expert Review) [RFC5226]. The Designated Expert is expected to consult with themileMILE (Managed Incident Lightweight Exchange) workinggroupgroup, or its successor if any suchWGworking group exists (e.g., via email to the working group's mailing list). The Designated Expert is expected to retrieve the SCI specification from the provided URI in order to check the public availability of the specification and verify the correctness of the URI. An important responsibility of the Designated Expert is to ensure that the registeredApplicable Classesapplicable classes are appropriate for the registered SCI specification. 8.AcknowledgmentAcknowledgments We would like to acknowledge David Black from EMC, who kindly provided generous support, especially on the IANA registry issues. We also would like to thank Jon Baker from MITRE, Eric Burger from Georgetown University, Paul Cichonski from NIST, Panos Kampanakis fromCISCO, Pearl Liang from IANA,Cisco, Ivan Kirillov from MITRE, Pearl Liang from IANA, Robert Martin from MITRE, Alexey Melnikov from Isode, Thomas Millar from US-CERT, Kathleen Moriarty from EMC, Lagadec Philippe from NATO, Sean Turner fromIECAIECA, Inc.,Shuhei Yamaguchi from NICT,Anthony Rutkowski from Yaana Technology, Brian Trammell from ETH Zurich, David Waltermire from NIST,andJames Wendorf from IEEE, and Shuhei Yamaguchi from NICT, for their sincere discussion and feedback on this document. 9. References 9.1. Normative References [MMDEF]IEEEICSG Malware Metadata Exchange Format Working Group, "Malware Metadata ExchangeFormat".Format", IEEE Standards Association, November 2011, <http://grouper.ieee.org/groups/malware/malwg/Schema1.2/>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident Object Description Exchange Format", RFC 5070, December 2007. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6545, April 2012. [RFC6546] Trammell, B., "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS", RFC 6546, April 2012. [XML1.0] Bray, T.,Maler, E.,Paoli, J., Sperberg-McQueen, C., Maler, E., and F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth Edition)", W3C Recommendation, November2008.2008, <http://www.w3.org/TR/xml/>. [XMLschemaPart1] Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, "XML Schema Part 1: Structures Second Edition", W3C Recommendation, October2004.2004, <http://www.w3.org/TR/xmlschema-1/>. [XMLschemaPart2] Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes Second Edition", W3C Recommendation, October2004.2004, <http://www.w3.org/TR/xmlschema-2/>. [XMLNames] Bray, T., Hollander, D., Layman, A., Tobin, R., and H.Thomson, ""NamespacesThompson, "Namespaces in XML 1.0 (Third Edition)", W3C Recommendation, December2009.2009, <http://www.w3.org/TR/xml-names/>. 9.2. Informative References[RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, July 2002. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, July 2003.[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An IETF URN Sub-namespace for Registered Protocol Parameters", BCP 73, RFC 3553, June 2003. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004.[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, October 2008. [RFC6116] Bradner, S., Conroy, L., and K. Fujiwara, "The E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM)", RFC 6116, March 2011.[CAPEC] The MITRE Corporation, "Common Attack Pattern Enumeration and Classification(CAPEC)".(CAPEC)", <http://capec.mitre.org/>. [CCE]The MITRE Corporation,National Institute of Standards and Technology, "Common Configuration Enumeration(CCE)".(CCE)", <http://nvd.nist.gov/cce/index.cfm>. [CCSS] Scarfone, K. and P. Mell, "The Common Configuration Scoring System(CCSS)",(CCSS): Metrics for Software Security Configuration Vulnerabilities", NIST Interagency Report 7502, December2010.2010, <http://csrc.nist.gov/ publications/nistir/ir7502/nistir-7502_CCSS.pdf>. [CEE] The MITRE Corporation, "Common Event Expression(CEE)".(CEE)", <http://cee.mitre.org/>. [CPE] National Institute of Standards and Technology, "Common Platform Enumeration", June2011.2011, <http://scap.nist.gov/specifications/cpe/>. [CVE] The MITRE Corporation, "CommonVulnerabilityVulnerabilities and Exposures(CVE)".(CVE)", <http://cve.mitre.org/>. [CVRF] ICASI,"Common"The Common Vulnerability Reporting Framework(CVRF)".(CVRF)", <http://www.icasi.org/cvrf>. [CVSS]PeterMell,KarenP., Scarfone, K., andSashaS. Romanosky, "The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal AgencySystems".Systems", NIST Interagency Report 7435, August 2007, <http://csrc.nist.gov/publications/nistir/ ir7435/NISTIR-7435.pdf>. [CWE] The MITRE Corporation, "Common Weakness Enumeration(CWE)".(CWE)", <http://cwe.mitre.org/>. [CWSS] The MITRE Corporation, "Common Weakness Scoring System(CWSS)".(CWSS(TM))", <http://cwe.mitre.org/cwss/>. [EICAR] EICAR - European Expert Group for IT-Security, "Anti-Malware Testfile",2003.2003, <http://www.eicar.org/86-0-Intended-use.html>. [MAEC] The MITRE Corporation, "Malware Attribute Enumeration andCharacterization".Characterization", <http://maec.mitre.org/>. [OCIL]David Waltermire and Karen ScarfoneWaltermire, D., Scarfone, K., andMariaM. Casipe,"The"Specification for the Open Checklist Interactive Language (OCIL) Version 2.0", NIST Interagency Report 7692, April2011.2011, <http://csrc.nist.gov/publications/nistir/ ir7692/nistir-7692.pdf>. [OVAL] The MITRE Corporation, "Open Vulnerability and Assessment Language(OVAL)".(OVAL)", <http://oval.mitre.org/>. [SCAP] Waltermire, D., Quinn, S., Scarfone, K., and A. Halbardier, "The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2", NIST Special Publication 800-126 Revision 2, September2011.2011, <http://csrc.nist.gov/publications/ nistpubs/800-126-rev2/SP800-126r2.pdf>. [XACML] Rissanen, E., "eXtensible Access Control Markup Language (XACML) Version 3.0", January 2013,<http:// docs.oasis-open.org/xacml/3.0/<http://docs.oasis-open.org/xacml/3.0/ xacml-3.0-core-spec-os-en.pdf>. [XCCDF]David Waltermire and Charles Schmidt and Karen ScarfoneWaltermire, D., Schmidt, C., Scarfone, K., andNealN. Ziring, "Specification for the Extensible Configuration Checklist Description Format (XCCDF) version 1.2 (DRAFT)",July 2011. [xmldsig]NIST Interagency Report 7275, Revision 4, September 2011, <http://csrc.nist.gov/publications/nistir/ir7275-rev4/ NISTIR-7275r4.pdf>. [XMLDSIG] W3C Recommendation, "XML Signature Syntax and Processing (Second Edition)", June2008.2008, <http://www.w3.org/TR/xmldsig-core/>. Authors' Addresses Takeshi Takahashi National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei 184-8795 Tokyo Japan Phone: +80 423 27 5862Email:EMail: takeshi_takahashi@nict.go.jp Kent Landfield McAfee,IncInc. 5000 Headquarters Drive Plano, TX 75024 USAEmail:EMail: Kent_Landfield@McAfee.comThomas Millar US Department of Homeland Security, NPPD/CS&C/NCSD/US-CERT 245 Murray Lane SW, Building 410, MS #732 Washington, DC 20598 USA Phone: +1 888 282 0870 Email: thomas.millar@us-cert.govYouki Kadobayashi Nara Institute of Science and Technology 8916-5 Takayama, Ikoma 630-0192 Nara JapanEmail:EMail: youki-k@is.aist-nara.ac.jp