The Common Vulnerability Reporting Framework (CVRF) (15 minutes)
Speaker: Jim Duncan
In recent years, the computer security collective has made significant progress in categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposure (CVE) dictionary and Common Vulnerability Scoring System (CVSS). However, one major gap in vulnerability standardization remains: there is no common framework for reporting and sharing vulnerability documentation among multiple organizations.
Current methods of vulnerability reporting, such as embedding security metric and vulnerability data inside response reports, are vendor-specific, non-standard, and non-cooperative. Additionally, because each producer of vulnerability reports employs a unique document structure that does not facilitate automated processing, users must manually parse individual vulnerability reports to find information that is germane to their environments.
In an effort to solve these problems, The Internet Consortium for Advancement of Security on the Internet (ICASI) has initiated the Common Vulnerability Reporting Framework (CVRF) project. CVRF will standardize vulnerability reporting in the form of an XML framework. Once CVRF is available, discoverers, vendors, users and coordinators of security response efforts worldwide will be able to use it to share critical vulnerability-related information, speeding information dissemination, exchange, and incident resolution. Producers of vulnerability reports will benefit from faster reporting, and end users will gain the ability to find relevant information more quickly and easily.
FACTOIDS: An open architecture for secure, efficient and dynamic data exchange among CSIRTs (15 minutes)
Speaker: Carlos Martinez-Cagnazzo
Computer Security Information Response Teams (CSIRTs) are service organizations, highly-specialized task forces that handle security incidents at either coordination or operational level. Malicious Internet activities recognize no boundaries; therefore, in order to be able to carry out their tasks as efficiently as possible, CSIRTs must establish relationships of trust that will allow them to share information.
In order to be acceptable, this information sharing must also comply with the information security policies of each security team's parent organization and, in order to be as effective as possible, they must be capable of being automated. The problem opens various research avenues, including but not limited to: (a) streamlining trust relationship establishment; (b) automatic sanitization according to a stored, machine-executable information security policy; (c) efficient access to event repositories through remotely-callable APIs and (d) efficient storage of large volumes of security-related event data.
This paper contains an introduction to this information exchange scenario among CSIRTs and then analyzes some relevant tools and architectures found in the literature with the aim of preparing an analysis of the requirements and proposing a high-level architecture for the automatic exchange of information among CSIRTs through administrative domains such that it complies with each organization's information security policies.
FISHA - A Framework for Information Sharing and Alerting in Europe (15 minutes)
Speakers: Bence Birkás and Ferenc Suba
The FISHA (Framework for Information Sharing and Alerting) is a collaboration between NASK/CERT Polska, CERT-Hungary and the University of Gelsenkirchen to build a common European information and alerting system within the framework of the EU EPCIP programme, based on the findings of the EISAS study of ENISA. The project addresses the issue of improving security awareness amongst home users and SMEs through the creation of a European information sharing and alerting system. The focus on home users and SMEs stems from the fact that these groups play a critical role in the security of the Internet as a whole, and as such, the European critical information infrastructure. At the same time both groups remain an easy target of attacks, due to low awareness of security issues and the lack of required technical skills to handle them in a proper manner. There is therefore a need of a channel that can be used to reach these groups and supply them with timely best practice information, alerts and warnings phrased in an easy to understand, non-technical way. While a number of national initiatives with a similar goal exist, these initiatives do not cooperate as actively in this field as they could. There is therefore much to be gained by pooling their resources and building upon existing information exchange initiatives, developed in particular, in the CERT community. Previous studies in the watch and warning field have shown that there are a lot of different views and interpretations by experts from different countries as to what really should be done at a European level. These differing views have hindered past European wide efforts, with relevant stakeholders firmly opposing a creation of a large centralized structure. The presentation will introduce our vision of the framework for information sharing and alerting, which we plan will act as a meta-information broker for various stakeholders (including CERTs), and explain the rationale behind the choices made, both technical (including a description of the proposed P2P network) and organizational. Our vision takes into account not just our own ideas or ideas inspired from previous work, but comments from experts (particularly from CERTs) that have taken part in our first FISHA workshop organized in October 2009 in Rotterdam.
Specifications for a Collaboration and Exchange Infrastructure for Cyber Defense Data (15 minutes)
Speaker: Luc Dandurand
Given the complexity of modern Communication and Information Systems (CIS) and the speed at which cyber attacks can progress, the need for automated Cyber De fence processes is clear. Such automation ranges from correlating data from different sources, so as to provide more meaningful information to computer security incident response team (CSIRT) analysts, to taking immediate defensive action in a network without human intervention. To provide the intended results, automated processes require standardized and accurate data. This Cyber De fence data can be broken down in two categories: the operational data that describes the organisation's CIS being protected, and reference data that describes common knowledge not specific to that organisation, such as lists of vulnerabilities and software products. The presentation presents a solution for improving the management of Cyber De fence reference data to adequately support automated Cyber De fence processes.
WOMBAT API: handling incidents by querying a world-wide network of advanced honeypots (15 minutes)
Speakers: Piotr Kijewski
Our presentation will describe the WOMBAT API, an API developed by the WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats) project consortium that allows different organizations to give access to their security-related datasets in a simple but consistent manner. Unlike most standards, the WOMBAT API places only a few general requirements on an entity wishing to implement the API. It enables users to explore and compare datasets from different organizations through a powerful interactive command line level interface, without knowledge of underlying database architecture. The HoneySpider Network (a hybrid client honeypot solution) dataset is described in detail, with examples of usage. Other datasets that are WAPI-enabled are also introduced. This is followed by an example scenario which shows how a real-life incident can be handled by using information from a diverse group of datasets, from the moment that a security breach is detected, initial assessment of the compromise, up to identification of possible infection vectors, IPs, URLs and malware responsible. We believe that the WOMBAT API has the potential to become a powerful tool and be a catalyst enabling CERTs and security researchers to share security related data in a much more open and effective manner than has been possible up till now.