Skip to main content

Concluded WG Managed Incident Lightweight Exchange (mile)

Note: The data for concluded WGs is occasionally incorrect.

WG Name Managed Incident Lightweight Exchange
Acronym mile
Area Security Area (sec)
State Concluded
Charter charter-ietf-mile-04 Approved
Status update Show Changed 2016-07-21
Document dependencies
Additional resources Issue tracker, Wiki
Personnel Chairs Nancy Cam-Winget, Takeshi Takahashi
Area Director Murray Kucherawy
Secretary David Waltermire
Mailing list Address mile@ietf.org
To subscribe https://www.ietf.org/mailman/listinfo/mile
Archive https://mailarchive.ietf.org/arch/browse/mile/

Final Charter for Working Group

The Managed Incident Lightweight Exchange (MILE) working group develops standards to support computer and network security incident management; an incident is an unplanned event that occurs in an information technology (IT) infrastructure. An incident could be a benign configuration issue, IT incident, a system compromise, socially engineered phishing attack, or a denial-of-service (DoS) attack, etc. When an incident is detected, or suspected, there may be a need for organizations to collaborate. This collaboration effort may take several forms including joint analysis, information dissemination, and/or a coordinated operational response. Examples of the response may include filing a report, notifying the source of the incident, requesting that a third-party resolve/mitigate the incident, sharing select indicators of compromise, or requesting that the source be located. By sharing indicators of compromise associated with an incident or possible threat, the information becomes a proactive defense for others that may include mitigation options.

The MILE WG is focused on two areas: standardizing a data format for representing incident and indicator data, and standardizing how application-level protocols such as HTTPS and XMPP become substrates for sharing the structured data. With respect to the data format, the working group has adopted the Incident Object Description Exchange Format (IODEF, RFC 7970) as one exchange format and will continue to:

  • Revise the IODEF document to incorporate enhancements and extensions based on operational experience. Use by the Computer Security Incident Response Teams (CSIRTs) and others has exposed the need to extend IODEF to support industry specific extensions, use case specific content, and representations to associate information related to represented threats (system, threat actors, campaigns, etc.). The value of information sharing has been demonstrated and highlighted at an increasing rate through the success of the Information Sharing and Analysis Centers (ISACs). In addition, the Multinational Alliance for Collaborative Cyber Situational Awareness (CCSA) have been running experiments to determine what data is useful to exchange between industries and nations to effectively mitigate threats. The work of these and other groups have identified and continue to develop data representations relevant to their use cases that may compliment/extend IODEF.

  • Provide guidance on the implementation and use of IODEF to facilitate interoperability.

Though the working group also adopted Real-time Inter-network Defense (RID, RFC 6545) as further enabling information exchange of security policy, its transport mechanism, based on the Simple Object Access Protocol (SOAP), led to the second focus for MILE: adopting more modern transport through the adoption of a RESTful interface through ROLIE (Resource-oriented lightweight information exchange, RFC 8322) and the adoption of a publish-subscribe model through XMPP-Grid (draft-ietf-mile-xmpp-grid). The MILE WG will continue to:

  • Update and enhance these application-level substrate protocols to optimize their performance and representations. More explicitly, documenting how ROLIE can transport JSON representations.

  • Define and document how these application-level substrate protocols can also be used to support other security information exchange formats. For example, documenting how ROLIE can transport STIX (Structured Threat Information Expression) data. As STIX is a expression format defined by the OASIS consortium, the working group will maintain a relationship with OASIS to ensure proper use, compatibility and interoperability when using STIX.

Milestones

Date Milestone Associated documents
Apr 2019 Submit a draft on ROLIE vulnerability extension as an Informational RFC
Apr 2019 Submit a draft on JSON bindings of IODEF to the IESG for publication as a Standards Track RFC
Apr 2019 Submit a draft on RESTful indicator exchange for CSIRT usage as an Informational RFC

Done milestones

Date Milestone Associated documents
Done Submit a draft on XMPP Protocol Extensions for Use with IODEF