CYBEX - The Cybersecurity Information Exchange Framework
Tony Rutkowski, [email protected], ITU-T Cybersecurity Rapporteur Group
EVP, Yaana TechnologiesSenior Fellow, Georgia Tech, Sam Nunn School, Center for
International Strategy, Technology, and Policy (CISTP)
2.1
What is the Cybersecurity Information Exchange Framework (CYBEX) ?
• A global initiative to– identify a set of platform specifications to facilitate the trusted exchange of
information among responsible parties worldwide supporting cybersecurity for
• Infrastructure protection• Incident analysis and response• Law enforcement and judicial forensics
– Enhance the availability, interoperability, and usefulness of these platforms• Extensible use of best-of-breed open cyber security information
exchange platforms• Facilitated by the Cybersecurity Rapporteur Group of ITU-T (Q.4/17)• ITU-T Recommendations during 2010-2011, with continuing
evolution to current user community versions and needs
What is cybersecurity?Contractual service
agreements and federations
Deny resources
Intergovernmental agreements and
cooperation
Tort & indemnification
Regulatory/ administrative law
Criminal law
Reputation sanctions
Provide basis for actions
Legal remedies may also institute protective measures
Provide awareness of vulnerabilities and remedies
Data retention and auditing
Identity Management
4. Legal Remedies
Forensics & heuristics analysis
Provide data for analysis
Encryption/ VPNs esp. for
signalling
Resilient infrastructure
Routing & resource
constraints
Network/ application
state & integrity
Real-time data availability
= information exchange for analysis
1. Measures for protection
2. Measures for threat detection
= information exchange for actions
Blacklists & whitelists
Vulnerability notices
Patch development
Investigation & measure initiation
3. Measures for thwarting and
other remedies
The CYBEX Initiative:basic model for information exchange
CybersecurityInformationacquisition
(out of scope)
CybersecurityOrganization
CybersecurityInformation
use(out of scope)
CybersecurityOrganization
Structure information
Identify & discover cyber security information and organizations
requesting & responding with cybersecurity information
Trusted exchange of cyber security information
CYBEX Focus
Vulnerability/State Exchange Cluster Event/Incident/Heuristics Exchange Cluster
Structured Information
CWECommon Weakness
Enumeration
CCECommon
Configuration Enumeration
ARFAssessment
Results Format
CVECommon
Vulnerabilities and
Exposures
CVSSCommon
Vulnerability Scoring System
SCAPSP800-126
Security Content
Automation Protocol
CWSSCommon Weakness Scoring System
XCCDFeXtensible
Configuration Checklist
Description Format
OVALOpen
Vulnerability and
Assessment Language
CPECommon Platform
Enumeration
LEA/Evidence Exchange Cluster
TS102232 Handover
Interface andService-Specific
Details (SSD) for IP delivery
TS102657 Handover
interface for the request and delivery of retained
data
RFC3924 Architecture
for Lawful Intercept in IP
Networks TS23.271 Handover for
Location Services
X.dexf Digital
Evidence Exchange File
FormatERDM
Electronic Discovery Reference
Model
Exchange Terms and Conditions
X.cybex-tcCyber
information terms and condition
exchange format
= imported
= new
= referenced
CEE Common
Event Expression
Specific Events
X.gridf
SmartGrid Incident
Exchange Format
MAECMalware
Attribution Enumeration
and Characterization
Black/WhitelistExchange
Format
PFOC Phishing,
Fraud, and Other
Non-Network Layer Reports
CAPEC Common
Attack Pattern Enumeration
and Classification
IODEF RFC5070Incident Object
Description Exchange Format
CEE Common
Event Expression
CEE Common
Event Expression
CEE Common
Event Expression
Exchange Cluster
Discovery and Trusted Exchange
Identity Trust Cluster
X.evcert
Extended Validation Certificate
TS102042V.2.0
Policy requirements for
certification authorities
issuing public key certificates
X.eaa
Entity authentication
assurance
Discovery Cluster
X.cybex.1 An OID arc for cybersecurity information exchange
X. cybex-disc
OID-based discovery
mechanisms in the exchange of
cybersecurity information
X. cybex.2XML
namespace in the Exchange
of Cybersecurity Information
X. chirp Cybersecurity Heuristics and
Information Request Protocol
X.cybex-beep
BEEP Profile for
Cybersecurity Information Exchange
Framework
X.cybex-tp
Transport protocols
supporting cybersecurity information exchange
LEA/Evidence Exchange
TS102232-1 Handover
Interface andService-Specific Details (SSD) for
IP delivery
= imported
= new
= referenced
A Cybersecurity Namespace• Trusted global cybersecurity information exchange requires identifiers for
– The parties and other objects involved in the exchanges– The information exchanged– The terms and conditions associated with the exchanged information
• A global cyber security namespace is part of CYBEX and described in draft Rec. ITU-T X.cybex.1
• The OID namespace 2.48 has been reserved for this purpose by joint ISO|IEC JTC1 SC6 and ITU SG17 action– OID namespaces
• Are hierarchical and enable autonomous distributed management• Were developed for and have been used for these kinds of purposes for the past 30 years
• Can also be used to meet new ETSI TC LI Dynamic Triggering requirement for a global identifier for warrants and related needs
Architecture TBD
A Global Cybersecurity Namespace
1[each country , organization, subdivision allocates namespaces and levels as desired]
48 = cybersecurity. . .48
USA8404
Afghanistan
756Suisse
250. . .France
. . . . . .Every country has a numeric identifier automatically reserved in the OID 2.48 cybersecurity namespace
nnn
FIRST
. . .
Non-country organizations can also be allocated
identifiers
4
ISOITU-T|ITU-R
01
23
Joint ITU-T & ISO[jointly allocated by ITU-T SG17 and ISO|IEC JTC1 SC6]
[Allocated by ITU-T SG17]
[Allocated by ISO|IEC JTC1 SC6]
0 1 2
Use of the OID cybersecurity namespace: an example
2.48.1.756.3[hypothetical Swiss agency]
CybersecurityOrganization
2.48.1.250.2 [hypothetical
French agency]
CybersecurityOrganization
Incident 2.48.1.756.3.1.[local identifier]
Terms & conditions 2.48.1.756.3.2.[local identifier]
The namespace identifiers need not be publicly exposed – only unique and consistent within the namespace
Local agency and community identifiers can continue to be used
Ensures coherent ability to know who is involved, specific
identification of the information, and expected treatment policies
The cybersecurity problems are about to get much worse
• Cloud Services and SmartGrids create potential significant new cybersecurity threats with far reaching consequences
• Public services are being pushed into the marketplace with– No regulation– No standards– Availability of massive network data center resources– With little understanding of the cybersecurity dimensions,
much less effective solutions– No international agreements
Will history repeat itself?• Similar kinds of cyber security challenges were faced a hundred years
ago– Fast-paced new network technology emerged– Networks became global in scope– Harmful incidents were rapidly scaling– Governments did not intervene to avoid harm to innovation– Sinking of the Titanic in 1912 finally motivated global action
• Every new network technology has faced similar challenges– The 1980s OSI Internet had public infrastructure security solutions, but lacked
innovation– The 1990s TCP/IP academic Internet had no public infrastructure security
solutions, but was great for innovation• Criminals , hackers, terrorists, miscreants are also innovative and have many incentives
• CYBEX assembles open, extensible, technology-neutral capabilities essential for public network infrastructure/service cybersecurity in different forms over the past hundred years
SS Cyber Infrastru
cture
How many cyber icebergs do you need before substantial global action occurs?
It usually takes a major disaster
Recommended
