RFC 7970
The Incident Object Description Exchange Format Version 2
3.12. Assessment Class
The Assessment class describes the repercussions of the incident to the victim. +-------------------------+ | Assessment | +-------------------------+ | ENUM occurrence |<>--{0..*}--[ IncidentCategory ] | ENUM restriction |<>--{0..*}--[ SystemImpact ] | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ] | ID observable-id |<>--{0..*}--[ TimeImpact ] | |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ IntendedImpact ] | |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ MitigatingFactor ] | |<>--{0..*}--[ Cause ] | |<>--{0..1}--[ Confidence ] | |<>--{0..*}--[ AdditionalData ] +-------------------------+ Figure 21: The Assessment Class The aggregate classes of the Assessment class are: IncidentCategory Zero or more. ML_STRING. A free-form text description categorizing the type of incident. SystemImpact Zero or more. A technical characterization of the impact of the incident activity on the victim's enterprise. See Section 3.12.1. BusinessImpact Zero or more. Impact of the incident activity on the business functions of the victim organization. See Section 3.12.2. TimeImpact Zero or more. A characterization of the victim organization due to the incident activity as a function of time. See Section 3.12.3.
MonetaryImpact
Zero or more. The financial loss due to the incident activity.
See Section 3.12.4.
IntendedImpact
Zero or more. The intended outcome to the victim sought by the
threat actor. Defined identically to the BusinessImpact defined
in Section 3.12.2 but describes intent rather than the realized
impact.
Counter
Zero or more. A counter with which to summarize the magnitude of
the activity. See Section 3.18.3.
MitigatingFactor
Zero or more. ML_STRING. A description of a mitigating factor
relative to the impact on the victim organization.
Cause
Zero or more. ML_STRING. A description of an underlying cause of
the impact.
Confidence
Zero or one. An estimate of confidence in the impact assessment.
See Section 3.12.5.
AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data
model.
At least one instance of the possible five impact classes (i.e.,
SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact, or
IntendedImpact) MUST be present.
The attributes of the Assessment class are:
occurrence
Optional. ENUM. Specifies whether the assessment is describing
actual or potential outcomes.
1. actual. This assessment describes activity that has occurred.
2. potential. This assessment describes potential activity that
might occur.
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.12.1. SystemImpact Class
The SystemImpact class describes the technical impact of the incident
to the systems on the network.
+-----------------------+
| SystemImpact |
+-----------------------+
| ENUM severity |<>--{0..*}--[ Description ]
| ENUM completion |
| ENUM type |
| STRING ext-type |
+-----------------------+
Figure 22: The SystemImpact Class
The aggregate class of the SystemImpact class is:
Description
Zero or more. ML_STRING. A free-form text description of the
impact to the system.
The attributes of the SystemImpact class are:
severity
Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no
default value.
1. low. Low severity
2. medium. Medium severity
3. high. High severity
completion
Optional. ENUM. An indication whether the described activity was
successful. The permitted values are shown below. There is no
default value.
1. failed. The attempted activity was not successful.
2. succeeded. The attempted activity succeeded.
type
Required. ENUM. Classifies the impact. The permitted values are
shown below. The default value is "unknown". These values are
maintained in the "SystemImpact-type" IANA registry per
Section 10.2.
1. takeover-account. Control was taken of a given account.
2. takeover-service. Control was taken of a given service.
3. takeover-system. Control was taken of a given system.
4. cps-manipulation. A cyber-physical system was manipulated.
5. cps-damage. A cyber-physical system was damaged.
6. availability-data. Access to particular data was degraded or
denied.
7. availability-account. Access to an account was degraded or
denied.
8. availability-service. Access to a service was degraded or
denied.
9. availability-system. Access to a system was degraded or
denied.
10. damaged-system. Hardware on a system was irreparably
damaged.
11. damaged-data. Data on a system was deleted.
12. breach-proprietary. Sensitive or proprietary information was
accessed or exfiltrated.
13. breach-privacy. Personally identifiable information was
accessed or exfiltrated.
14. breach-credential. Credential information was accessed or
exfiltrated.
15. breach-configuration. System configuration or data inventory
was access or exfiltrated.
16. integrity-data. Data on the system was modified.
17. integrity-configuration. Application or system configuration
was modified.
18. integrity-hardware. Firmware of a hardware component was
modified.
19. traffic-redirection. Network traffic on the system was
redirected
20. monitoring-traffic. Network traffic emerging from a host or
enclave was monitored.
21. monitoring-host. System activity (e.g., running processes,
keystrokes) were monitored.
22. policy. Activity violated the system owner's acceptable use
policy.
23. unknown. The impact is unknown.
24. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
3.12.2. BusinessImpact Class
The BusinessImpact class describes and characterizes the degree to which the function of the organization was impacted by the incident. +-------------------------+ | BusinessImpact | +-------------------------+ | ENUM severity |<>--{0..*}--[ Description ] | STRING ext-severity | | ENUM type | | STRING ext-type | +-------------------------+ Figure 23: The BusinessImpact Class The aggregate class of the BusinessImpact class is: Description Zero or more. ML_STRING. A free-form text description of the impact to the organization. The attributes of the BusinessImpact class are: severity Optional. ENUM. Characterizes the severity of the incident on business functions. The permitted values are shown below. They were derived from Table 3-2 of [NIST800.61rev2]. The default value is "unknown". These values are maintained in the "BusinessImpact-severity" IANA registry per Section 10.2. 1. none. No effect to the organization's ability to provide all services to all users. 2. low. Minimal effect as the organization can still provide all critical services to all users but has lost efficiency. 3. medium. The organization has lost the ability to provide a critical service to a subset of system users. 4. high. The organization is no longer able to provide some critical services to any users. 5. unknown. The impact is not known. 6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
ext-severity
Optional. STRING. A means by which to extend the severity
attribute. See Section 5.1.1.
type
Required. ENUM. Characterizes the effect this incident had on
the business. The permitted values are shown below. The default
value is "unknown". These values are maintained in the
"BusinessImpact-type" IANA registry per Section 10.2.
1. breach-proprietary. Sensitive or proprietary information was
accessed or exfiltrated.
2. breach-privacy. Personally identifiable information was
accessed or exfiltrated.
3. breach-credential. Credential information was accessed or
exfiltrated.
4. loss-of-integrity. Sensitive or proprietary information was
changed or deleted.
5. loss-of-service. Service delivery was disrupted.
6. theft-financial. Money was stolen.
7. theft-service. Services were misappropriated.
8. degraded-reputation. The reputation of the organization's
brand was diminished.
9. asset-damage. A cyber-physical system was damaged.
10. asset-manipulation. A cyber-physical system was manipulated.
11. legal. The incident resulted in legal or regulatory action.
12. extortion. The incident resulted in actors extorting the
victim organization.
13. unknown. The impact is unknown.
14. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
3.12.3. TimeImpact Class
The TimeImpact class describes the impact of the incident on an
organization as a function of time. It provides a way to convey down
time and recovery time.
+---------------------+
| TimeImpact |
+---------------------+
| REAL |
| |
| ENUM severity |
| ENUM metric |
| STRING ext-metric |
| ENUM duration |
| STRING ext-duration |
+---------------------+
Figure 24: The TimeImpact Class
The content of the class is of type REAL and specifies an amount of
time. The duration attribute provides units for this content, and
the metric attribute explains what this content is measuring.
The attributes of the TimeImpact class are:
severity
Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no
default value.
1. low. Low severity
2. medium. Medium severity
3. high. High severity
metric
Required. ENUM. Defines the meaning of the value in the element
content. These values are maintained in the "TimeImpact-metric"
IANA registry per Section 10.2.
1. labor. Total staff time to recovery from the activity (e.g.,
2 employees working 4 hours each would be 8 hours).
2. elapsed. Elapsed time from the beginning of the recovery to
its completion (i.e., wall-clock time).
3. downtime. Duration of time for which some provided service(s)
was not available.
4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-metric
Optional. STRING. A means by which to extend the metric
attribute. See Section 5.1.1.
duration
Optional. ENUM. Defines the unit of time for the value in the
element content. The default value is "hour". These values are
maintained in the "TimeImpact-duration" IANA registry per
Section 10.2.
1. second. The unit of the element content is seconds.
2. minute. The unit of the element content is minutes.
3. hour. The unit of the element content is hours.
4. day. The unit of the element content is days.
5. month. The unit of the element content is months.
6. quarter. The unit of the element content is quarters.
7. year. The unit of the element content is years.
8. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-duration
Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1.
3.12.4. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished productivity of the staff, or a tarnished reputation that will affect future opportunities. +------------------+ | MonetaryImpact | +------------------+ | REAL | | | | ENUM severity | | STRING currency | +------------------+ Figure 25: The MonetaryImpact Class The content of the class is of type REAL and specifies a quantity of money. The currency attribute defines the currency of this value. The attributes of the MonetaryImpact class are: severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity currency Optional. STRING. Defines the currency in which the value in the element content is expressed. The permitted values are defined in "Codes for the representation of currencies" [ISO4217]. There is no default value.
3.12.5. Confidence Class
The Confidence class represents an estimate of the validity and accuracy of data expressed in the document. This estimate can be expressed as a category or a numeric calculation. +-------------------+ | Confidence | +-------------------+ | REAL | | | | ENUM rating | | STRING ext-rating | +-------------------+ Figure 26: The Confidence Class The content of the class is of type REAL and specifies a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element MUST be empty. The attributes of the Confidence class are: rating Required. ENUM. A qualitative assessment of confidence. These values are maintained in the "Confidence-rating" IANA registry per Section 10.2 1. low. Low confidence. 2. medium. Medium confidence. 3. high. High confidence. 4. numeric. The element content contains a number that conveys the confidence of the data. The semantics of this number is outside the scope of this specification. 5. unknown. The confidence rating value is not known. 6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-rating Optional. STRING. A means by which to extend the rating attribute. See Section 5.1.1.
3.13. History Class
The History class is a log of the significant events or actions performed by the involved parties during the course of handling the incident. The level of detail maintained in this log is left up to the discretion of those handling the incident. +------------------------+ | History | +------------------------+ | ENUM restriction |<>--{1..*}--[ HistoryItem ] | STRING ext-restriction | +------------------------+ Figure 27: The History Class The aggregate classes of the History class are: HistoryItem One or more. An entry in the history log of significant events or actions performed by the involved parties. See Section 3.13.1. The attributes of the History class are: restriction Optional. ENUM. See Section 3.3.1. ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.3.13.1. HistoryItem Class
The HistoryItem class is an entry in the History (Section 3.13) log that documents a particular action or event that occurred in the course of handling the incident. The details of the entry are a free-form text description, but each can be categorized with the type attribute.
+-------------------------+ | HistoryItem | +-------------------------+ | ENUM action |<>----------[ DateTime ] | STRING ext-action |<>--{0..1}--[ IncidentID ] | ENUM restriction |<>--{0..1}--[ Contact ] | STRING ext-restriction |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..*}--[ DefinedCOA ] | |<>--{0..*}--[ AdditionalData ] +-------------------------+ Figure 28: The HistoryItem Class The aggregate classes of the HistoryItem class are: DateTime One. DATETIME. A timestamp of this entry in the history log. IncidentID Zero or one. In a history log created by multiple parties, the IncidentID provides a mechanism to specify which CSIRT created a particular entry and references this organization's tracking number. When a single organization is maintaining the log, this class can be ignored. See Section 3.4. Contact Zero or one. Provides contact information for the entity that performed the action documented in this class. See Section 3.9. Description Zero or more. ML_STRING. A free-form text description of the action or event. DefinedCOA Zero or more. STRING. An identifier meaningful to the sender and recipient of this document that references a course of action (COA). This class MUST be present if the action attribute is set to "defined-coa". AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
The attributes of the HistoryItem class are:
action
Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed
expectation or through an internal investigation, this attribute
is identical to the action attribute of the Expectation class.
The difference is only one of tense. When an action is in this
class, it has been completed. See Section 3.15.
ext-action
Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1.
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.14. EventData Class
The EventData class is a container class to organize data about events that occurred during an incident. +-------------------------+ | EventData | +-------------------------+ | ENUM restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..1}--[ DetectTime ] | ID observable-id |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ RecoveryTime ] | |<>--{0..1}--[ ReportTime ] | |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Discovery ] | |<>--{0..1}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Expectation ] | |<>--{0..1}--[ Record ] | |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ AdditionalData ] +-------------------------+ Figure 29: The EventData Class The aggregate classes of the EventData class are: Description Zero or more. ML_STRING. A free-form text description of the event. DetectTime Zero or one. DATETIME. The time the event was detected. StartTime Zero or one. DATETIME. The time the event started. EndTime Zero or one. DATETIME. The time the event ended. RecoveryTime Zero or one. DATETIME. The time the site recovered from the event. ReportTime Zero or one. DATETIME. The time the event was reported.
Contact
Zero or more. Contact information for the parties involved in the
event. See Section 3.9.
Discovery
Zero or more. The means by which the event was detected. See
Section 3.10.
Assessment
Zero or one. The impact of the event on the victim and the
actions taken. See Section 3.12.
Method
Zero or more. The technique used by the threat actor in the
event. See Section 3.11.
Flow
Zero or more. A description of the systems or networks involved.
See Section 3.16.
Expectation
Zero or more. The expected action to be performed by the
recipient for the described event. See Section 3.15.
Record
Zero or one. Supportive data (e.g., log files) that provides
additional information about the event. See Section 3.22.
EventData
Zero or more. A recursive definition of the EventData class. See
Section 3.14.2 for an explanation on using this class.
AdditionalData
Zero or more. EXTENSION. An extension mechanism for data not
explicitly represented in the data model.
At least one of the aggregate classes MUST be present in an instance
of the EventData class.
The attributes of the EventData class are:
restriction
Optional. ENUM. See Section 3.3.1. The default value is
"default".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.14.1. Relating the Incident and EventData Classes
There is substantial overlap in the child classes aggregated in the
Incident and EventData classes. Nevertheless, the semantics of these
classes are quite different. The Incident class provides summary
information about the entire incident, while the EventData class
provides information about the individual events comprising the
incident. In the common case, the EventData class will provide more
specific information for the general description provided in the
Incident class. However, in the case where the summarized
information in the Incident class conflicts with the detailed
information in an EventData class, the more specific EventData class
MUST supersede the more generic information provided in the Incident
class.
3.14.2. Recursive Definition of EventData
The EventData class is a container for the properties of an event in
an incident. These properties include: the hosts involved, impact of
the incident activity on the hosts, forensic logs, etc. The
recursive definition of EventData allows for the grouping of related
information with common properties. This approach eliminates the
need for explicit identifiers to relate information or duplicate it.
Instead, the relative depth (nesting) of a class is used to group
(relate) information.
For example, consider a case where two hosts experience different
impacts during an incident. However, these two hosts have common
contact information. A depiction of how this situation would be
represented can be found in Figure 30. EventData (2) and (3) group
each of the two hosts with their unique impact. EventData (1)
describes the common Contact class these two hosts share.
+------------------+ | EventData (1) | +------------------+ | |<>----[ Contact ] | | | |<>----[ EventData (2) ]<>----[ Flow ] | | [ ]<>----[ Assessment ] | | | |<>----[ EventData (3) ]<>----[ Flow ] | | [ ]<>----[ Assessment ] +------------------+ Figure 30: Recursion in the EventData Class
(page 60 continued on part 4)
