Incident Handling BOF (inch) Thursday, March 21 at 0900-1130 ================================ CHAIR: Roman Danyliw MAILING LIST =========================== Post: inch@nic.surfnet.nl Archive: http://listserv.surfnet.nl/archives/inch.html Subscribe: send mail to listserv@nic.surfnet.nl with "subscribe inch " in the body AGENDA =========================== 1. Agenda Bashing, Introduction, Minutes Taker - Roman Danyliw - 5 min. 2. INCH Status Report - Roman - 5 min. 3. Terena IODEF Working Group Status Report - Jan Meijer - 15 min 4. Discuss requirement document (RFC 3067, new requirements) - 30 min 5. Discuss data model document (IODEF, high-level data elements) - 45 min 6. Discussions and Plans for the Future - 15 min DESCRIPTION =========================== == Introduction Computer security incidents occur across administrative domains often spanning different organizations and national borders. Therefore, the free exchange of incident information and statistics among involved parties and the responsible Computer Security Incident Response Teams (CSIRTs) is crucial for both reactionary analysis of current intruder activity and proactive identification of trends that can lead to incident prevention. The purpose of the proposed Incident Handling (inch) working group is to define data formats for communication between * a CSIRT and its constituency (e.g., users, customers, trusted reporters) which reports system misuse; * a CSIRT and parties involved in an incident investigation (e.g., law enforcement, attacking site); and * collaborating CSIRTs sharing information. == Output of the (proposed) WG The are several outputs of the proposed working group: 1. A document describing the high-level functional requirements of a data format for collaboration between CSIRTs and parties involved when handling computer security incidents. 2. A specification of the extensible, incident data language that describes the data formats that satisfy the requirements. 3. Guidelines for implementing the WG data format (Output #2 of the WG). 4. A set of sample incident reports and their associate representation in the incident data language. == BOF Purpose After IETF 52, consensus was reached on a charter for the scope of an INCH working group, and this document has been submitted to the AD (and the IESG). The minutes of the IETF 52 INCH BOF can be found here: The full text of this charter can be found here: IETF 53 is the second INCH BOF during which the related work of the Terena IODEF-WG (see [1] [2]) will be evaluated as the starting point for the INCH deliverables. REFERENCES =========================== [1] [2]