Internet Engineering Task Force T. Takahashi, Ed. Internet-Draft Y. Kadobayashi, Ed. Intended status: Informational NICT Expires: April 21, 2011 October 18, 2010 Cybersecurity Information Exchange Framework draft-takahashi-cybex-intro-00 Abstract The cybersecurity information exchange framework, known as CYBEX, is currently undergoing its first iteration of standardization efforts within ITU-T. The framework describes how cybersecurity information is exchanged between cybersecurity entities on a global scale and how the exchange is assured. This framework is intended to facilitate cybersecurity entities to work together beyond national and/or organizational boundaries. Currently, ITU-T Draft Recommendation X.1500 defines the framework. The editors designated for the progress of the Draft Recommendation are (in alphabetical order): Inette Furey (DHS), Youki Kadobayashi (NICT), Bob Martin (MITRE), Angela Mckay (Microsoft), Stephen Adegbite (FIRST), Damir Rajnovic (FIRST), Gavin Reid (Cisco), Tony Rutkowski (Yaana), Gregg Schudel (Cisco). On behalf of ITU-T Q.4/17, this draft introduces the overview of CYBEX in the IETF. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 21, 2011. Takahashi & Kadobayashi Expires April 21, 2011 [Page 1] Internet-Draft Abbreviated Title October 2010 Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . . 3 3. Overview of Cybersecurity Information Exchange Framework . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6.1. Normative References . . . . . . . . . . . . . . . . . . . 5 6.2. Informative References . . . . . . . . . . . . . . . . . . 6 Appendix A. Additional Stuff . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 Takahashi & Kadobayashi Expires April 21, 2011 [Page 2] Internet-Draft Abbreviated Title October 2010 1. Introduction In the Internet, sources of threats cross borders of countries and even continents. Countermeasures against these cybersecurity threats, however, are most frequently implemented by individual organizations in isolation. Consequently, an organization in one country may be attacked by malware whose countermeasures are already known and implemented within another organization in another country. Such incidents occur due to the lack of sharing of information among organizations. One of the biggest factors preventing organizations from sharing information with each other is the absence of a globally common format and framework for cybersecurity information exchange. Albeit some countries such as the United States possess domestic standards for approaching this problem, most other countries have no such standards. Another such factor is the absence of assured information exchange framework, without which no organization will exchange information. To cope with this problem, ITU-T is now building an emerging standard - The Cybersecurity Information Exchange Framework (CYBEX). CYBEX provides a globally common format and framework for assured cybersecurity information exchange, which will eventually minimize the disparity of cybersecurity information availability on a global scale. Since cybersecurity information can be shared worldwide, no country or organization implementing CYBEX will be left behind in terms of its availability. Consequently, developing countries, which currently have fewer resources to put towards cybersecurity, can become equal partners with developed countries with appropriate investments. Therefore countermeasures will be implemented through global collaboration. The framework will also advance the development of automating cybersecurity information exchange. Most cybersecurity information exchange within organizations are not currently automated and depend largely on human intervention. Email, telephone calls and even faceto- face meetings are still the primary method for information exchange. The need for and reliance on human interaction consumes a great deal of time. By advancing automation of cybersecurity information exchange, the costs (e.g., personnel costs) within each organization will be significantly reduced and the operation will be more efficient. At the same time, human-operation- based mistakes such as miscommunication can be avoided; thus the quality of operations can be improved. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Takahashi & Kadobayashi Expires April 21, 2011 [Page 3] Internet-Draft Abbreviated Title October 2010 3. Overview of Cybersecurity Information Exchange Framework CYBEX focuses on cybersecurity information exchange between cybersecurity organizations. Cybersecurity information is information required for cybersecurity operations such as on a vulnerability, and a cybersecurity organization is an organization running cybersecurity operations such as CSIRTs of countries and private companies. How to acquire/use cybersecurity information is outside the scope of CYBEX. Considering the cybersecurity information life cycle, we observed that five functional blocks are needed for CYBEX: Information Description, Information Discovery, Information Query, Information Assurance and Information Transport, as are shown in Figure 1. The Information Description block structures cybersecurity information for exchange purposes, the Information Discovery block identifies and discovers cybersecurity information and entities, the Information Query block requests and responds with cybersecurity information, the Information Assurance block ensures the validity of the information, and Information Transport block exchanges cybersecurity information over networks. +-------------------------------+ | Information Description block | +-------------------------------+ | Information Discovery block | +-------------------------------+ | Information Query block | +-------------------------------+ | Information Assurance block | +-------------------------------+ | Information Transport block | |_______________________________| Five functional blocks of CYBEX Figure 1 Each functional block consists of assorted specifications as are shown in Table 1. As can be seen, one important characteristics of CYBEX is that this de jure standard is based on current de facto standards, and that by creating CYBEX in cooperation with the creators of each de facto standards we can increase the utility and compatibility of CYBEX with these standards, so users will be able to use CYBEX seamlessly with available products, making CYBEX more practical and deployable. Takahashi & Kadobayashi Expires April 21, 2011 [Page 4] Internet-Draft Abbreviated Title October 2010 +-------------+-----------------------------------------------------+ | Functional | CYBEX family specifications | | blocks | | +-------------+-----------------------------------------------------+ | Description | CPE, CCE, CVE, CWE, CAPEC, MAEC, CVSS, CWSS, OVAL, | | | XCCDF, ARF, IODEF, CEE, TS102232, TS102667, | | | TS23.271, RFC3924, EDRM, X.dexf, X.pfoc | | Discovery | X.cybex.1, X.cybex-disc | | Query | X.chirp | | Assurance | EVCERT, TS102042 V2.0, X.eaa | | Transport | TS102232-1, X.cybex-tp, X.cybex-beep | +-------------+-----------------------------------------------------+ Table 1: CYBEX family specifications Each of the functional blocks are elaborated on in the following subsections. Further details are available at [ACMCCR_CYBEX]. 4. IANA Considerations This memo includes no request to IANA. 5. Security Considerations This paper introduced CYBEX, a new cybersecurity standard that will be finalized in December 2010. CYBEX provides a framework for assured cybersecurity information exchange between cybersecurity entities and minimizes the disparity of cybersecurity information availability among cybersecurity entities. The challenge is finding a means of permitting wide usage of CYBEX. Without global and widespread usage, CYBEX will not be able to provide its true value or contribute to cybersecurity. In order to advance cybersecurity, the effectiveness of CYBEX needs to be globally and widely recognized. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Takahashi & Kadobayashi Expires April 21, 2011 [Page 5] Internet-Draft Abbreviated Title October 2010 6.2. Informative References [ACMCCR_CYBEX] Rutkowski, A., Kadobayashi, Y., Furey, I., Rajnovic, D., Martin, R., Takahashi, T., Schultz, C., Reid, G., Schudel, G., Hird, M., and S. Adegbite, "CYBEX - the Cybersecurity Information Exchange Framework (X.1500)", ACM SIGCOMM Computer Communication Review, Volume 40, Number 5, October 2010. Appendix A. Additional Stuff This becomes an Appendix. Authors' Addresses Takeshi Takahash (editor) NICT 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Phone: +81 80 3490 2971 Email: takeshi_takahashi@nict.go.jp Youki Kadobayashi (editor) NICT 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Email: youki-k@is.aist-nara.ac.jp Takahashi & Kadobayashi Expires April 21, 2011 [Page 6]