Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 36643-2018 English PDF

Q: How long will the true-PDF of English version of GB/T 36643-2018 be delivered?

Upon your order, we will start to translate GB/T 36643-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of GB/T 36643-2018_English with my colleagues?

Yes. The purchased PDF of GB/T 36643-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

US$679.00 · In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 36643-2018: Information security technology -- Cyber security threat information format
Status: Valid

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
GB/T 36643-2018	679	Add to Cart	5 days	Information security technology -- Cyber security threat information format	Valid

Similar standards

GB/T 36635 GB/T 36630.1 GB/T 36651 GB/T 36633

Basic data

Standard ID: GB/T 36643-2018 (GB/T36643-2018)
Description (Translated English): Information security technology -- Cyber security threat information format
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.040
Word Count Estimation: 34,369
Date of Issue: 2018-10-10
Date of Implementation: 2019-05-01
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 36643-2018: Information security technology -- Cyber security threat information format

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Cyber security threat information format ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Network security threat information format specification 2018-10-10 released 2019-05-01 Implementation State Administration for Market Regulation Issued by China National Standardization Administration

Preface Ⅲ Introduction Ⅳ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Abbreviations 2 5 Cybersecurity threat information model 2 5.1 Overview 2 5.2 Threat Information Dimension 2 5.3 Threat Information Component 2 6 Cybersecurity threat information component 4 6.1 Overview 4 6.2 Observable data 4 6.3 Attack indicators 10 6.4 Security incident 12 6.5 Attacks 13 6.6 Attack methods 15 6.7 Response measures 16 6.8 Threat subject 17 6.9 Target 18 Appendix A (informative appendix) Example of complete cybersecurity threat information expressed in JSON 20 Reference 28

Foreword

This standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. China Electronics Standardization Institute, Beijing Saixi Technology Development Co., Ltd., Beijing Tianjiyoumengxin Information Technology Co., Ltd., Beijing Qi’anxin Technology Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences, Third Research Institute of Ministry of Public Security, China Information Security Evaluation Center, National Computer Network Emergency Technology Coordination Center, CLP Great Wall Internet System Application Co., Ltd., China Electronics Technology Network Information Security Co., Ltd., Alibaba (Beijing) Software Service Co., Ltd., Baidu Online Network Technology (Beijing) Co., Ltd., Beijing Beijing Shenzhou NSFOCUS Information Security Technology Co., Ltd., Beijing Venus Information Security Technology Co., Ltd., China NetCloud (Beijing) Information Technology Technology Co., Ltd., Yuanjiang Shengbang (Beijing) Network Security Technology Co., Ltd., Beijing Junyuan Venture Capital Investment Management Co., Ltd., Beijing Pai.com Software Co., Ltd., Sangfor Technology Co., Ltd., Institute of Software, Chinese Academy of Sciences, Beijing Tianrongxin Network Security Technology Co., Ltd., Tencent Cloud Computing (Beijing) Co., Ltd., Shanghai Jiaotong University, Beijing University of Technology, Xidian University, Beijing University of Posts and Telecommunications, Beijing Beijing Zhongdian Puhua Information Technology Co., Ltd., People's Public Security University of China, Wuhan University. The main drafters of this standard. Cai Lei, Ye Runguo, Yang Jianjun, Liu Xiangang, Fan Kefeng, Min Jinghua, Bao Xuhua, Liu Weixin, Feng Detective, Jin Xiangyu, Dong Xiaokang, Yang Dalu, Yang Zeming, Li Kepeng, Li Qiang, Song Chao, Sun Wei, He Xinpeng, Li Zongyang, Sun Bo, Liang Lulu, Song Haohao, Wang Huilai, Liu Huijing, Sun Chengsheng, Quan Xiaowen, Li Jianhua, Lei Xiaofeng, Pei Qingqi, Yi Jin, Liu Yuling, Li Yan, Shi Bo, Sun Zhaohui, Zhou Yi, Zou Rongxin, Zeng Zhifeng, Ye Jianwei, Yang Zhen, Ma Zhanyu, Zhanpeng Zhai, Cao Zhanfeng, Jiang Zhengwei, Du Yanhui, Wang Lina.

Introduction

With the increasingly intensified network attack and defense confrontation game, network attack methods and attack techniques show the characteristics of diversity and complexity. All threats are becoming more and more obvious in generality and continuity, and it is more and more convenient for attackers to obtain attack tools, resulting in a huge cost of cyber attacks. The difficulty of reducing and detecting network attacks is getting bigger and bigger. Traditional network security protection schemes only rely on the independent implementation of vertical Protection mechanisms are becoming increasingly inefficient in responding to these complex cyber attacks, and it is urgent to adopt new technical measures to improve the overall cyber security defenses. Protection ability. Network security threat information sharing and utilization is an important measure to improve the overall network security protection efficiency. It aims to adopt a variety of technical means, By collecting large-scale, multi-channel fragmented attacks or abnormal data, centralized in-depth integration, merging and analysis, forming a network security Protect relevant threat information clues, and on this basis, carry out active and coordinated network security threat warning, detection and response to reduce network security. The protection cost of network security threats, and improve the overall network security protection efficiency. The sharing and utilization of cybersecurity threat information is an important link in achieving the security protection of critical information infrastructure, which is conducive to the realization of cross-group The rapid transmission of network security threat information of the organization can realize the timely detection and rapid response to complex network security threats. Standardizing the format and exchange of cybersecurity threat information is the prerequisite and basis for the sharing and utilization of cybersecurity threat information. This is of great significance in promoting the development and industrial application of cyber security threats to information technology. Information Security Technology Network security threat information format specification

1 Scope

This standard specifies the cyber security threat information model and cyber security threat information components, including the components of cyber security threat information Attributes and attribute value format and other information. This standard applies to the generation, sharing and use of cybersecurity threat information between the supplier and the demander of cybersecurity threat information. The construction and operation of the security threat information sharing platform can be used as reference.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 18336.1-2015 Information Technology Security Technology Information Technology Security Assessment Criteria Part 1.Introduction and General model GB/T 20274.1-2006 Information Security Technology Information System Security Assurance Assessment Framework Part 1.Introduction and General Model GB/T 25069-2010 Information Security Technical Terms GB/T 28458-2012 Information Security Technology Security Vulnerability Identification and Description Specification

3 Terms and definitions

GB/T 18336.1-2015, GB/T 20274.1-2006 and GB/T 25069-2010 and the following terms and definitions are applicable Used in this document. 3.1 Cybersecurity/cybersecurity The maintenance of confidentiality, integrity and availability of information in cyberspace. [ISO /IEC 27032.2012, definition 4.20] 3.2 Threat Potential causes of undesired events that may cause harm to the system or organization. [GB/T 29246-2017, definition 2.83]. 3.3 Threat information threatinformation A kind of evidence-based knowledge, used to describe existing or possible threats, so as to realize the response and prevention of threats. Note. Threat information includes information such as context, attack mechanism, attack indicators, and possible impact. 3.4 Vulnerability Weaknesses in assets or controls that may be exploited by one or more threats. [GB/T 29246-2017, definition 2.89] 3.5 Cyberkilchain A multi-step attack model used to describe multiple attack steps. Note. Common multi-step attack models include information collection, tool development, tool release, vulnerability utilization, backdoor installation, command and control, attack target achievement, etc. Seven steps.

4 Abbreviations

The following abbreviations apply to this document. DNS. Domain Name System (DomainNameSystem) IP. Internet Protocol (InternetProtocol) JSON. Javascript Object Markup Language (JavaScriptObjectNotation) MD5.Message Digest Algorithm 5th Edition (MessageDigestAlgorithm5) PE. Portable Executable (PortableExecutable) URL. Uniform Resource Locator (UniformResourceLocator) TTP. Tactics, Techniques, and Procedures (Tactics, Techniques, and Procedures)

5 Cybersecurity threat information model

5.1 Overview This standard provides a structured method to describe cybersecurity threat information, with the purpose of achieving the sharing of cybersecurity threat information among organizations. Sharing and utilization, and supporting network security threat management and application automation. To achieve these goals, a common model is needed to achieve The unified description of cybersecurity threat information ensures the consistency of the description of cybersecurity threat information, thereby improving the efficiency of threat information sharing, Interoperability, and improve the overall cyber security threat situation awareness. 5.2 Threat Information Dimensions This standard defines a general cyber security threat information model (hereinafter referred to as "threat information model"). Threat information model from The three dimensions of image, method, and event are divided into cybersecurity threat information, including observable data (Observation), attack Indicator (Indicator), security incident (Incident), attack activity (Campaign), threat subject (ThreatActor), attack target (Ex- ploitTarget), attack methods (TTP), countermeasures (CourseOfAction), including eight threat information components that describe cybersecurity threats. Threat information. The 8 components in the threat information model can be divided into 3 domains. a) Object domain. describes the participating roles of cybersecurity threats, including two components. "threat subject" (usually the attacker) and "attack target" Mark" (usually the victim); b) Method domain. describe the method elements in cybersecurity threats, including two components. "attack method" (the attacker uses the Methods, techniques and processes used), and “response measures” (including early warning, detection, protection, and response actions against attacks) Make); c) Event domain. describe events related to cybersecurity threats at different levels, including four components. "attack activities" (in economic or political Is the target of attack), “security incident” (the act of penetrating information systems), “attack indicators” (the single Step attacks) and "observable data" (basic events captured at the network or host level). 5.3 Threat Information Component Figure 1 shows the threat information model, which includes 8 threat information components, and each component contains the attributes of the element itself and the relationship with other components. Relational information is the key element of the threat information model. among them. a) "Observable data", stateful attributes or measurable events related to the host or network, is the most basic threat information model Components; b) "Attack indicator", a technical indicator used to identify a specific "attack method", which is a combination of multiple "observable data" To detect "security incident" detection rules; c) "Security incidents", based on the corresponding indicators ("attack indicators") detected network attacks that may affect a specific organization, a Specific cyber attack events may involve information such as "threat subject", "attack method" and "countermeasure"; d) "Attack activity", "threat subject" adopts specific "attack methods" to achieve a series of attack actions with specific attack Attacks will generate a series of "security incidents"; e) "Threat subject", the subject that initiates the activity in the "attack activity", and the "threat subject" uses related methods ("attack methods") to achieve the attack intention; f) The "attack target", the software, system, and network vulnerabilities or weaknesses used by the "attack method", for each attack target, there are Corresponding effective measures ("countermeasures") to suppress; g) "Attack method", a description of the method used in the attack process of the "threat subject", each "attack method" will take loopholes Use the way to exploit the type of vulnerability or weakness on the "attack target"; h) "Response measures", effective measures to deal with specific "attack targets". When a security incident occurs, corresponding "response measures" may also be taken "Implementation" for post-event security incident handling. The threat information model defined in this standard should be flexible and extensible, mainly in the threat information groups defined in the threat information model The software is optional. It can be used independently or combined in any way. For example, in a specific application scenario, you can only use threat information. Related components in the information model without using all components. The flexible and extensible characteristics of the threat information model make it suitable for various Used in independent application scenarios. Figure 1 Threat information model The specific format specifications of the 8 threat information components should meet the detailed requirements given in Chapter 6.Network security threats using this standard See Appendix A for examples of complete cybersecurity threat information in information format.

6 Cybersecurity threat information component

6.1 Overview This chapter specifies the format of the eight threat information components in the threat information model, including the attributes and attribute values of each component. format. The format of each component attribute is represented by the JSON data type, including String (string), JSONArray (JSON array) and Data types such as JSONObject (JSON object). 6.2 Observable data 6.2.1 Overview In the threat information model, “observable data” is the most basic component, which is used to describe various stateful data related to the host or network. Data or measurable events. "Observable data" is a logical expression in form, and its logical relationship is organized according to the following rules. a) The expression of "observable data" is organized in a tree structure; b) Each non-leaf node represents the relationship of child nodes, including two kinds of "or" relationship and "and" relationship; c) Each leaf node is a discriminant, which represents a specific check item. For example, does the file name contain the specified string, does the registry key For the specified content, etc. There are 4 types of discrimination methods that are equal to, not equal to, inclusive and not included. 6.2.2 Field description The observable data defined by this standard includes. DNS basic records, email basic records, file download basic records, file information Basic record, basic record of process information, basic record of website access, basic record of registry information, basic record of user information, system information Basic records, etc. Observable data includes the following. a) Identification number, a globally unique identification within the shared scope; b) Quoting the identification number, quoting "observable data" elsewhere; c) Timestamp, used in conjunction with the identification number to specify the version of the local entry, or used in conjunction with the reference identification number to specify the external entry version of; d) Version, the standard version used; e) Name, the simple name of "observable data"; f) Description, using text to describe this entry in detail; g) Brief description, using text to briefly describe this entry; h) Relationship, the relationship between "observable data" and other components; i) Discriminant, using a discriminant with a logical budget relationship to represent a single "observable data" or a combination of multiple observable data, which The combination relationship is shown in 6.2.1; j) Object type, the type name of "observable data", in addition to corresponding to all object types in 6.2.3, it can also be based on actual The scene is expanded. The description of each field of the observable data is shown in Table 1. Table 1 Field description of observable data objects Field name field description field format field necessity id identification number String mandatory idref reference identification number String optional timestamp Timestamp String optional Table 1 (continued) Field name field description field format field necessity version version String required title name String optional description Description String optional short_description Short description String optional object relationship value constraint object_type Relationship String optional Discriminant String optional Object type String optional 6.2.3 Specific observable data 6.2.3.1 DNS basic records Basic DNS records mainly record observations related to DNS domain name resolution, including the following. a) Domain name resolution host, the name of the server that provides domain name resolution services; b) Domain name resolution record, DNS service can provide mapped IP address information for a given domain name, that is, domain name resolution record; c) DNS record type, DNS service can provide a variety of query and anti-query services, including host records describing IPv4 address information Record, describe the name server record of the server, describe the mail exchange record of the mail server, etc. This field indicates the specific record Record type. The description of each field of the basic DNS record is shown in Table 2. Table 2 Basic DNS records Field name field description field format field necessity name_server domain name resolution host String optional record IPv4 domain name resolution record String optional dns_type DNS record type String optional 6.2.3.2 Basic E-mail Record Basic email records mainly record observations related to emails, including the following. a) The multi-purpose Internet mail extension type for mail attachments, and the multi-purpose Internet mail extension type for email attachments can indicate the appropriate Which application to use to open the file; b) The name of the email attachment, the file name of the email attachment, and the file name and type of the attachment file; c) The content of the email attachment and the content of the email attachment indicate all the information in the attached file; d) Bcc address, email Bcc address, indicating all recipients of email Bcc; e) The text of the email body, the text of the email body, indicating the entire text content of the body; f) Email CC address, email CC address, indicating all recipients of email CC; g) The sender of the email, the sender of the email, indicating the email address of the sender of the email; h) Email quotation, the original text quoted when replying to the email, indicating the content of the original email body; i) The subject of the email, the subj......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 36643-2018_English be delivered?

Answer: Upon your order, we will start to translate GB/T 36643-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 36643-2018_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 36643-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.