Cybersecurity  informa1on  security  exchange  framework  (CYBEX):  

importance  and  current  developments  

Tony  Rutkowski,  tony@yaanatech.com  Rapporteur  for  Cybersecurity  Group,  ITU-­‐T  Q4/17  

ISOG-­‐J  Seminar  Tokyo  13  Oct  2010  V1.1  

Addi1onal  roles  include:  global  eWarrant  Rapporteur,  ETSI  TCLI;  U.S.  NSTAC  Cybersecurity  Expert;  Dis1nguished  Senior  Research  Fellow,  Georgia  Ins1tute  of  Technology      

Outline  

•  Why  the  CYBEX  ini1a1ve  is  important  •  Major  developments  shaping  the  work  •  Specific  capabili1es  

–  Systems  Assurance  and  Incident  Response  –  Cybersecurity  Informa1on  Exchange  Framework  –  Iden1ty  Management  

•  Major  implementa1on  challenges  –  Extent  and  evolu1on  of  the  standards  – Discovery  and  trust  capabili1es  – Achieving  implementa1ons  and  widespread  use  

CYBEX:  origins  •  A  common  realiza1on  that  

–  Talking  about  cybersecurity  accomplished  nothing  –  The  incidents  were  scaling  exponen1ally  –  Trusted  exchange  of  cybersecurity  informa1on  was  essen1al  to  any/all  

capabili1es  –  Many  different  communi1es  were  developing  cybersecurity  

informa1on  exchange  schema  –  No  global  framework  and  consensus  existed  to  bring  together  

communi1es  and  schema  •  Ins1tu1onal  triggers  

–  ITU-­‐T  began  a  new  4  year  cycle  with  a  mandate  to  do  something  about  cybersecurity  

–  Par1cipants  found  there  were  common  global  interests  in  tackling  cybersecurity  informa1on  exchange  challenges  

•  LAC,  NICT,  and  other  Japanese  experts  and  organiza1ons  •  Government  and  industry  en11es  in  APEC  region,  U.S.,  and  Europe  

Contractual  service  agreements  and  federa3ons  

Deny  resources  

Intergovernmental  agreements  and  coopera3on  

Tort  &  indemnifica3on  

Regulatory/  administra3ve  law  

Criminal  law  

Legal  remedies  may  also  ins3tute  protec3ve  measures  

Data  reten3on  and  audi3ng  

Iden3ty  Management  

Forensics  &  heuris3cs  analysis  

Provide  data  for  analysis  

Encryp3on/  VPNs  esp.  for  signalling  

Resilient  infrastructure  

Rou3ng  &  resource  constraints  

Network/  applica3on  

state  &  integrity  

Real-­‐3me  data  availability  

Measures  for  protec3on  

Measures  for  threat  detec3on  

Blacklists  &  whitelists  

Vulnerability  no3ces  

Inves3ga3on  &  measure  ini3a3on  

Measures  for  thwar3ng  and  other  remedies  

Legal  Remedies  

Agreement  on  a  cybersecurity  model:  informa1on  sharing  dependencies  

Informa3on  exchanges  

Provide  basis  for  legal  remedies  

Patch  development  

Provide  basis  for  ac3ons  

Reputa3on  sanc3ons  

Provide  awareness  of  vulnerabili3es  and  remedies  

Pladorm  coherency  appeared  possible  

Providing  outreach  among  standards  bodies  seemed  possible  

ITU-­‐R  

ISO   ETSI  

IETF  

OASIS  

ITU-­‐T  

OMA  

CAB  forum   TCG  

3GPP  

MITRE  

NIST  

APP  Dev  

Forums  

IEEE  WiFi  Forum  

IMS  forum  

Cable  Labs  

FIRST  

CCDB  

CNIS  

APWG  

Major  related  ins1tu1onal  developments  

•  U.N.  15  July  document  among  15  major  powers  on  reducing  “ICT  conflict”  (a/k/a  cyberwar)  

•  Exercise  of  cybersecurity  authority  by  regulatory  bodies  –  e.g.,  Korea,  FCC  in  U.S.  

•  High  Level  Cybersecurity  Strategies  (USTIC,  Japan,  UK,  China,  Korea)  •  Cybersecurity  as  an  issue  at  ongoing  ITU  Plenipoten1ary  Conference  •  Enhanced  Common  Criteria  Development  Board  (CCDB)/NATO  

ac1vity  •  New  real-­‐1me,  data  reten1on,  and  mobile  forensics  mandates  

offshore  •  Judicial  eDiscovery  mandates  (e.g.,  FRCP  Rule  26)  in  US  and  

offshore  

Major  related  infrastructure  developments  

•  Applica1on  based  infrastructure  –  Mobile  pladorms  driving  a  world  of  a  million  applica1ons  –  Poses  major  challenges  (what  is  a  good  applica1on  versus  malware)  

•  Locator/ID  Separa1on  Protocol  (LISP)  –  Re-­‐architects  IP  based  public  infrastructures  –  Should  solve  significant  ICT  security  related  challenges,  especially  

alribu1on  •  Asia-­‐Pacific-­‐centricity  

–  Region  has  world’s  largest  and  fastest  growing  infrastructure  and  strong  economies  

–  Pursuing  technology  implementa1ons,  network  innova1ons,  venue  leadership  

•  Mobile/nomadic-­‐centricity  –  Stressing  mobile  standards/collabora1ve  forums    –  Include  mul1ple  IdM/cyber  security  challenges  

CYBEX  is  a  substan1ve  ongoing  global  Cyber/ICT  security  ini1a1ve  

•  Aimed  at  achieving  meaningful  security  –  "lock  down"  the  integrity  of  ICT  systems,  –  watch  for  undesired  incidents,  and    –  capture,  analyze,  and  process  the  forensics  from  those  incidents  to  reduce  vulnerabili1es,  

thwart  alacks,  and  ins1tute  legal  ac1on  if  appropriate  

•  The  trusted  exchange  of  informa1on  is  essen1al  to  accomplish  these  three  tasks.      •  The  Cybersecurity  Informa1on  Exchange  Framework  (CYBEX)  ini1a1ve  aimed  at  

iden1fying  the  emerging  set  of  specifica1ons  for  the  global  pladorms  for  achieving  these  trusted  exchanges  

•  Most  of  the  work  has  been  accomplished  within  exis1ng  systems  assurance,  incident  response,  and  intelligence/surveillance  communi1es  

•  Pro-­‐ac1ve  outreach  is  part  of  the  ini1a1ve  –  Constant  alempt  to  survey  what  is  occurring  in  all  other  forums  and  bringing  important  

capabili1es  into  the  framework  –  Constant  analysis  of  what  is  missing  or  needed  

•  Unique  –  no  comparable  ac1vity  exists  

Cybersecurity  Informa1on  acquisi1on  

(out  of  scope*)  

Cybersecurity  Informa1on  

use  (out  of  scope*)  

  structuring  cybersecurity  informa3on  for  exchange  purposes  

  iden3fying  and  discovering  cybersecurity  informa3on  and  en33es  

  reques3ng  and  responding  with  cybersecurity  informa3on  

  exchanging  of  cybersecurity  informa3on  over  networks  

  assuring  cybersecurity  informa3on  exchanges  

Cybersecurity  En11es  

Cybersecurity  En11es  

*  Some  specialized  cybersecurity  exchange  implementa1ons  may  require  applica1on  specific  frameworks  specifying  acquisi1on  and  use  capabili1es  

CYBEX  Exchange  Model  

CYBEX  Ontology  

Coordinator

Response  Team

Administrator

Network  Operator

Incident  Handling  Domain

IT  Asset  Management  Domain

Knowledge  Accumula3on  Domain

Asset  Database Product  KB

Assessment  Rule

Internal  Asset  DB

External  Asset  DB Version  KB

Configura1on  KB

Cyber  Risk  KB Vulnerability  KB

Threat  KB Alack  KB Mis-­‐use  KB

Researcher

Vendor

Registrar

Countermeasure  KB

Detec1on  /  Protec1on  Rule

Incident  Database

Event Incident Alack

Warning  Database

Vulnerability/State Exchange Cluster Event/Incident/Heuristics Exchange Cluster

Informa1on  Exchange  Structuring  

Evidence Exchange Cluster

Handover of real time forensics

Handover of retained

data forensics

Event Expressions

Extensions for: DPI

Traceback Smartgrid Phishing

Malware Patterns

Incident and

Attack Patterns

Electronic Evidence Discovery

Knowledge  Base  

Weaknesses Vulnerabilities

and Exposures

Platforms

State  

Assessment Results

Security State

Measurement

Configuration Checklists

Terms and conditions

OVAL Open Vulnerability and Assessment Language

CWE Common Weakness

Enumeration

CVE Common

Vulnerabilities and

Exposures

CPE Common Platform

Enumeration

CVSS Common

Vulnerability Scoring System

CWSS Common Weakness Scoring System

CCE Common

Configuration Enumeration

XCCDF eXensible

Configuration Checklist

Description Format

ARF Assessment

Result Format

CEE Common

Event Expression

IODEF Incident Object

Description Exchange Format

CAPEC Common

Attack Pattern Enumeration

and Classification

Application Specific

Extensions

Informa1on  Exchange  Schema  

OVAL Open Vulnerability and Assessment Language

CWE Common Weakness

Enumeration

CVE Common

Vulnerabilities and

Exposures

CPE Common Platform

Enumeration

CVSS Common

Vulnerability Scoring System

CWSS Common Weakness Scoring System

CCE Common

Configuration Enumeration

XCCDF eXensible

Configuration Checklist

Description Format

ARF Assessment

Result Format

CEE Common

Event Expression

IODEF Incident Object

Description Exchange Format

CAPEC Common

Attack Pattern Enumeration

and Classification

Application Specific

Extensions

MAEC Malware

Attribution Enumeration

and Characterization

Informa1on  Exchange  Schema  -­‐  Malware  

OVAL Open Vulnerability and Assessment Language

CWE Common Weakness

Enumeration

CVE Common

Vulnerabilities and

Exposures

CPE Common Platform

Enumeration

CVSS Common

Vulnerability Scoring System

CWSS Common Weakness Scoring System

CCE Common

Configuration Enumeration

XCCDF eXensible

Configuration Checklist

Description Format

ARF Assessment

Result Format

CEE Common

Event Expression

IODEF Incident Object

Description Exchange Format

CAPEC Common

Attack Pattern Enumeration

and Classification

Application Specific

Extensions

SCAP Security

Automation Tools

Informa1on  Exchange  Schema  –    

SCAP  Applica1on  

Exchange Cluster

Informa1on  Exchange  Trust  capabili1es  

Identity Assurance Cluster

Authentication Assurance Methods

Authentication Assurance

Levels

Discovery of parties, standards, schema, enumerations, instances and

other objects

Common Namespace

Discovery enabling

mechanisms

Request and

distribution mechanisms

Interaction Security

Transport Security

Trusted Platforms

Trusted Network Connect

Events, Incidents, & Heuristics

Information

Weaknesses, Vulnerabilities &

State Information

Incident Detection Schema

Software, systems, services, networks

Security Automation

Schema

Tools

Evidence Information

Exchange Policies

Exchange Requests

Exchange Policies

Exchange Requests

+   +  

CYBEX  Implementa1on  

Trusted Platform Modules

Trusted Network Connect

Tools

So  where  do  we  go  from  here:  the  challenges  

•  An  en1re  ITU-­‐T  Recom-­‐  menda1on  X-­‐series  has    been  allocated  

•  Recs.  X.cybex,  X.cve,  X.cvss  should  be  approved  in  December  

•  Future  of  IODEF  remains  a  ques1on  mark  •  Many  addi1onal  CYBEX  pieces  are  in  various  stages  of  prepara1on  for  adop1on  during  2011-­‐2013  and  subsequent  maintenance  

•  A  global  structured  website  of  cybersecurity  organiza1ons  has  been  created  on  ITU-­‐T  website  

•  Substan1al  challenges  remain…    

Challenge:  Extent  and  evolu1on  of  CYBEX  Recommenda1on  

•  Is  the  framework  currently  complete?  •  What  standards  should  be  included  in  the  framework?  What  are  the  

criteria  for  inclusion?  •  Which  standards  get  published  as  ITU-­‐T  Recommenda1ons  and  

which  do  not?  •  How  do  ITU-­‐T  published  versions  maintain  “sync”  with  authorita1ve  

community  versions?  •  How  do  regional  and  na1onal  variants/schemas  become  included?  •  How  should  Security  Content  Automa1on  Protocol  (SCAP)  schema  

be  treated?  –  Presently  included  in  an  appendix  as  examples  

•  How  does  CYBEX  deal  with  “sou”  standards,  e.g.,  other  ITU-­‐T,    ITU-­‐D,  ISO  SC27    –  Presently  referenced  in  an  appendix  

Challenge:  Discovery  and  trust  capabili1es  •  Cybersecurity  object  discovery,  trust,  and  related  exchange  policy  mechanisms  are  compartmentalized,  incoherent,  and  frequently  primi1ve  

•   Iden1ty  Management  for  cybersecurity  has  complex  assurance  rela1onships  

Ongoing  relevant  cybersecurity  IdM  developments  

•  eDiscovery  –  Trusted  discovery  of  iden1fier  meta  informa1on  is  essen1al  in  distributed  systems  –  Bob  Kahn  has  been  leading  effort  in  ITU-­‐T  to  develop  a  X.discovery  specifica1on  

•  Resolvers  –  New  joint  ISO  ITU-­‐T  specifica1on  ITU-­‐T  X.673  |  ISO/IEC  29168-­‐2  provides  for  DNS  based  ability  to  resolve  

OIDs  to  informa1on  addresses  –  Handles  system  proceeding  in  ITU-­‐T  

•  Trust  interoperability  –  Joint  ITU-­‐T  and  ISO  X.eaa  specifica1on  currently  being  discussed  –  ENISA  trust  interoperability  protocol  may  be  underway  in  OASIS  

•  Cloud/Smartgrid  Iden1ty  –  Mul1ple  global  ini1a1ves  underway  to  develop  specifica1ons  for  cloud  and  Smartgrid  Iden1ty  (ITU-­‐T,  OASIS,  

3GPP,  CEN,  ISO,  NIST,  etc)  •  Pladorm  trust  

–  Trusted  Pladorm  Module  and  Trusted  Network  Connect  now  included  in  CYBEX  standard  •  Should  Virtual  TPMs  be  included?  

–  Distribu1on  channel  trust  •  OID  based  NID  standards  emerging  as  a  major  object  ID  pladorm  for  distribu1on  chain  trust  •  Handles  based  DOIs  a  second  order  choice  •  What  others  exist?  

•  No  apparent  consensus  on  use  of  cyber  security  object  iden1fiers  •  NICT  contribu1ons  have  been  seminal  in  exploring  naming  and  discovery  op1ons  •  CNIS  (Cyber-­‐security  Naming  and  Informa1on  Structures  Group)  is  emerging  as  a  significant  new  

forum  for  trea1ng  CYBEX  informa1on  iden1fiers  

Challenge:  Achieving  implementa1on  and  widespread  use  •  Much  public  and  industry  dialogue  is  primi1ve,  frac1ous,  and  poli1cally  

conten1ous  at  best  –  especially  in  the  West  –  See,  e.g.,  FCC  Cybersecurity  Roadmap  proceeding  in  Docket  10-­‐146  

•  Meaningful  pladorms  (e.g.,  CYBEX),  like  the  systems  involved,  are  complex  •  Best  ini1al  implementa1on  avenues  are  within  coherent  bounded  

communi1es  –  ISOG-­‐J  –  Na1onal  government  networks  –  Common  Criteria  Control  Board  –  NATO  

•  SCAP  implementa1ons  should  proliferate  –  How  to  enumerate  and  discover?  

•  Analy1cal  “bridging”  pladorms  are  emerging  –  Deep  Packet  Inspec1on  –  Applica1on/pladorm  behavior  signature  enumera1ons  

•  Ul1mately  carefully  designed  mandates  by  na1onal  regulatory  authori1es  seem  likely  to  emerge  

Exemplar:    6th  IT  Security  Automa1on  Conference,  Bal1more,  27-­‐29  Sep  2010*  

Credit:  Overview  by  Paul  Cichonski,  BAH-­‐NIST   *See:  hlp://scap.nist.gov/events/2010/itsac/presenta1ons/index.html  

A  familiar  ensemble  Emerging  NIST  view  of  CYBEX  as  SCAP  

A  significant  dependency  

Exemplar:    Japan  Vulnerability  Notes