|
US$679.00 · In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 36643-2018: Information security technology -- Cyber security threat information format
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 36643-2018 | English | 679 |
Add to Cart
|
5 days [Need to translate]
|
Information security technology -- Cyber security threat information format
| Valid |
GB/T 36643-2018
|
PDF similar to GB/T 36643-2018
Basic data | Standard ID | GB/T 36643-2018 (GB/T36643-2018) | | Description (Translated English) | Information security technology -- Cyber security threat information format | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 34,369 | | Date of Issue | 2018-10-10 | | Date of Implementation | 2019-05-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 36643-2018: Information security technology -- Cyber security threat information format---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Cyber security threat information format
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Network security threat information format specification
2018-10-10 released
2019-05-01 Implementation
State Administration for Market Regulation
Issued by China National Standardization Administration
Table of contents
Preface Ⅲ
Introduction Ⅳ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Cybersecurity threat information model 2
5.1 Overview 2
5.2 Threat Information Dimension 2
5.3 Threat Information Component 2
6 Cybersecurity threat information component 4
6.1 Overview 4
6.2 Observable data 4
6.3 Attack indicators 10
6.4 Security incident 12
6.5 Attacks 13
6.6 Attack methods 15
6.7 Response measures 16
6.8 Threat subject 17
6.9 Target 18
Appendix A (informative appendix) Example of complete cybersecurity threat information expressed in JSON 20
Reference 28
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. China Electronics Standardization Institute, Beijing Saixi Technology Development Co., Ltd., Beijing Tianjiyoumengxin
Information Technology Co., Ltd., Beijing Qi’anxin Technology Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences, Third Research Institute of Ministry of Public Security, China Information
Security Evaluation Center, National Computer Network Emergency Technology Coordination Center, CLP Great Wall Internet System Application Co., Ltd., China Electronics
Technology Network Information Security Co., Ltd., Alibaba (Beijing) Software Service Co., Ltd., Baidu Online Network Technology (Beijing) Co., Ltd., Beijing
Beijing Shenzhou NSFOCUS Information Security Technology Co., Ltd., Beijing Venus Information Security Technology Co., Ltd., China NetCloud (Beijing) Information Technology
Technology Co., Ltd., Yuanjiang Shengbang (Beijing) Network Security Technology Co., Ltd., Beijing Junyuan Venture Capital Investment Management Co., Ltd., Beijing Pai.com
Software Co., Ltd., Sangfor Technology Co., Ltd., Institute of Software, Chinese Academy of Sciences, Beijing Tianrongxin Network Security Technology Co., Ltd.,
Tencent Cloud Computing (Beijing) Co., Ltd., Shanghai Jiaotong University, Beijing University of Technology, Xidian University, Beijing University of Posts and Telecommunications, Beijing
Beijing Zhongdian Puhua Information Technology Co., Ltd., People's Public Security University of China, Wuhan University.
The main drafters of this standard. Cai Lei, Ye Runguo, Yang Jianjun, Liu Xiangang, Fan Kefeng, Min Jinghua, Bao Xuhua, Liu Weixin, Feng Detective,
Jin Xiangyu, Dong Xiaokang, Yang Dalu, Yang Zeming, Li Kepeng, Li Qiang, Song Chao, Sun Wei, He Xinpeng, Li Zongyang, Sun Bo, Liang Lulu, Song Haohao,
Wang Huilai, Liu Huijing, Sun Chengsheng, Quan Xiaowen, Li Jianhua, Lei Xiaofeng, Pei Qingqi, Yi Jin, Liu Yuling, Li Yan, Shi Bo, Sun Zhaohui, Zhou Yi,
Zou Rongxin, Zeng Zhifeng, Ye Jianwei, Yang Zhen, Ma Zhanyu, Zhanpeng Zhai, Cao Zhanfeng, Jiang Zhengwei, Du Yanhui, Wang Lina.
Introduction
With the increasingly intensified network attack and defense confrontation game, network attack methods and attack techniques show the characteristics of diversity and complexity.
All threats are becoming more and more obvious in generality and continuity, and it is more and more convenient for attackers to obtain attack tools, resulting in a huge cost of cyber attacks.
The difficulty of reducing and detecting network attacks is getting bigger and bigger. Traditional network security protection schemes only rely on the independent implementation of vertical
Protection mechanisms are becoming increasingly inefficient in responding to these complex cyber attacks, and it is urgent to adopt new technical measures to improve the overall cyber security defenses.
Protection ability.
Network security threat information sharing and utilization is an important measure to improve the overall network security protection efficiency. It aims to adopt a variety of technical means,
By collecting large-scale, multi-channel fragmented attacks or abnormal data, centralized in-depth integration, merging and analysis, forming a network security
Protect relevant threat information clues, and on this basis, carry out active and coordinated network security threat warning, detection and response to reduce network security.
The protection cost of network security threats, and improve the overall network security protection efficiency.
The sharing and utilization of cybersecurity threat information is an important link in achieving the security protection of critical information infrastructure, which is conducive to the realization of cross-group
The rapid transmission of network security threat information of the organization can realize the timely detection and rapid response to complex network security threats.
Standardizing the format and exchange of cybersecurity threat information is the prerequisite and basis for the sharing and utilization of cybersecurity threat information.
This is of great significance in promoting the development and industrial application of cyber security threats to information technology.
Information Security Technology
Network security threat information format specification
1 Scope
This standard specifies the cyber security threat information model and cyber security threat information components, including the components of cyber security threat information
Attributes and attribute value format and other information.
This standard applies to the generation, sharing and use of cybersecurity threat information between the supplier and the demander of cybersecurity threat information.
The construction and operation of the security threat information sharing platform can be used as reference.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 18336.1-2015 Information Technology Security Technology Information Technology Security Assessment Criteria Part 1.Introduction and General
model
GB/T 20274.1-2006 Information Security Technology Information System Security Assurance Assessment Framework Part 1.Introduction and General Model
GB/T 25069-2010 Information Security Technical Terms
GB/T 28458-2012 Information Security Technology Security Vulnerability Identification and Description Specification
3 Terms and definitions
GB/T 18336.1-2015, GB/T 20274.1-2006 and GB/T 25069-2010 and the following terms and definitions are applicable
Used in this document.
3.1
Cybersecurity/cybersecurity
The maintenance of confidentiality, integrity and availability of information in cyberspace.
[ISO /IEC 27032.2012, definition 4.20]
3.2
Threat
Potential causes of undesired events that may cause harm to the system or organization.
[GB/T 29246-2017, definition 2.83].
3.3
Threat information threatinformation
A kind of evidence-based knowledge, used to describe existing or possible threats, so as to realize the response and prevention of threats.
Note. Threat information includes information such as context, attack mechanism, attack indicators, and possible impact.
3.4
Vulnerability
Weaknesses in assets or controls that may be exploited by one or more threats.
[GB/T 29246-2017, definition 2.89]
3.5
Cyberkilchain
A multi-step attack model used to describe multiple attack steps.
Note. Common multi-step attack models include information collection, tool development, tool release, vulnerability utilization, backdoor installation, command and control, attack target achievement, etc.
Seven steps.
4 Abbreviations
The following abbreviations apply to this document.
DNS. Domain Name System (DomainNameSystem)
IP. Internet Protocol (InternetProtocol)
JSON. Javascript Object Markup Language (JavaScriptObjectNotation)
MD5.Message Digest Algorithm 5th Edition (MessageDigestAlgorithm5)
PE. Portable Executable (PortableExecutable)
URL. Uniform Resource Locator (UniformResourceLocator)
TTP. Tactics, Techniques, and Procedures (Tactics, Techniques, and Procedures)
5 Cybersecurity threat information model
5.1 Overview
This standard provides a structured method to describe cybersecurity threat information, with the purpose of achieving the sharing of cybersecurity threat information among organizations.
Sharing and utilization, and supporting network security threat management and application automation. To achieve these goals, a common model is needed to achieve
The unified description of cybersecurity threat information ensures the consistency of the description of cybersecurity threat information, thereby improving the efficiency of threat information sharing,
Interoperability, and improve the overall cyber security threat situation awareness.
5.2 Threat Information Dimensions
This standard defines a general cyber security threat information model (hereinafter referred to as "threat information model"). Threat information model from
The three dimensions of image, method, and event are divided into cybersecurity threat information, including observable data (Observation), attack
Indicator (Indicator), security incident (Incident), attack activity (Campaign), threat subject (ThreatActor), attack target (Ex-
ploitTarget), attack methods (TTP), countermeasures (CourseOfAction), including eight threat information components that describe cybersecurity threats.
Threat information. The 8 components in the threat information model can be divided into 3 domains.
a) Object domain. describes the participating roles of cybersecurity threats, including two components. "threat subject" (usually the attacker) and "attack target"
Mark" (usually the victim);
b) Method domain. describe the method elements in cybersecurity threats, including two components. "attack method" (the attacker uses the
Methods, techniques and processes used), and “response measures” (including early warning, detection, protection, and response actions against attacks)
Make);
c) Event domain. describe events related to cybersecurity threats at different levels, including four components. "attack activities" (in economic or political
Is the target of attack), “security incident” (the act of penetrating information systems), “attack indicators” (the single
Step attacks) and "observable data" (basic events captured at the network or host level).
5.3 Threat Information Component
Figure 1 shows the threat information model, which includes 8 threat information components, and each component contains the attributes of the element itself and the relationship with other components.
Relational information is the key element of the threat information model. among them.
a) "Observable data", stateful attributes or measurable events related to the host or network, is the most basic threat information model
Components;
b) "Attack indicator", a technical indicator used to identify a specific "attack method", which is a combination of multiple "observable data"
To detect "security incident" detection rules;
c) "Security incidents", based on the corresponding indicators ("attack indicators") detected network attacks that may affect a specific organization, a
Specific cyber attack events may involve information such as "threat subject", "attack method" and "countermeasure";
d) "Attack activity", "threat subject" adopts specific "attack methods" to achieve a series of attack actions with specific attack
Attacks will generate a series of "security incidents";
e) "Threat subject", the subject that initiates the activity in the "attack activity", and the "threat subject" uses related methods ("attack methods") to achieve the attack
intention;
f) The "attack target", the software, system, and network vulnerabilities or weaknesses used by the "attack method", for each attack target, there are
Corresponding effective measures ("countermeasures") to suppress;
g) "Attack method", a description of the method used in the attack process of the "threat subject", each "attack method" will take loopholes
Use the way to exploit the type of vulnerability or weakness on the "attack target";
h) "Response measures", effective measures to deal with specific "attack targets". When a security incident occurs, corresponding "response measures" may also be taken
"Implementation" for post-event security incident handling.
The threat information model defined in this standard should be flexible and extensible, mainly in the threat information groups defined in the threat information model
The software is optional. It can be used independently or combined in any way. For example, in a specific application scenario, you can only use threat information.
Related components in the information model without using all components. The flexible and extensible characteristics of the threat information model make it suitable for various
Used in independent application scenarios.
Figure 1 Threat information model
The specific format specifications of the 8 threat information components should meet the detailed requirements given in Chapter 6.Network security threats using this standard
See Appendix A for examples of complete cybersecurity threat information in information format.
6 Cybersecurity threat information component
6.1 Overview
This chapter specifies the format of the eight threat information components in the threat information model, including the attributes and attribute values of each component.
format. The format of each component attribute is represented by the JSON data type, including String (string), JSONArray (JSON array) and
Data types such as JSONObject (JSON object).
6.2 Observable data
6.2.1 Overview
In the threat information model, “observable data” is the most basic component, which is used to describe various stateful data related to the host or network.
Data or measurable events. "Observable data" is a logical expression in form, and its logical relationship is organized according to the following rules.
a) The expression of "observable data" is organized in a tree structure;
b) Each non-leaf node represents the relationship of child nodes, including two kinds of "or" relationship and "and" relationship;
c) Each leaf node is a discriminant, which represents a specific check item. For example, does the file name contain the specified string, does the registry key
For the specified content, etc. There are 4 types of discrimination methods that are equal to, not equal to, inclusive and not included.
6.2.2 Field description
The observable data defined by this standard includes. DNS basic records, email basic records, file download basic records, file information
Basic record, basic record of process information, basic record of website access, basic record of registry information, basic record of user information, system information
Basic records, etc. Observable data includes the following.
a) Identification number, a globally unique identification within the shared scope;
b) Quoting the identification number, quoting "observable data" elsewhere;
c) Timestamp, used in conjunction with the identification number to specify the version of the local entry, or used in conjunction with the reference identification number to specify the external entry
version of;
d) Version, the standard version used;
e) Name, the simple name of "observable data";
f) Description, using text to describe this entry in detail;
g) Brief description, using text to briefly describe this entry;
h) Relationship, the relationship between "observable data" and other components;
i) Discriminant, using a discriminant with a logical budget relationship to represent a single "observable data" or a combination of multiple observable data, which
The combination relationship is shown in 6.2.1;
j) Object type, the type name of "observable data", in addition to corresponding to all object types in 6.2.3, it can also be based on actual
The scene is expanded.
The description of each field of the observable data is shown in Table 1.
Table 1 Field description of observable data objects
Field name field description field format field necessity
id identification number String mandatory
idref reference identification number String optional
timestamp Timestamp String optional
Table 1 (continued)
Field name field description field format field necessity
version version String required
title name String optional
description Description String optional
short_description Short description String optional
object
relationship
value
constraint
object_type
Relationship String optional
Discriminant String optional
Object type String optional
6.2.3 Specific observable data
6.2.3.1 DNS basic records
Basic DNS records mainly record observations related to DNS domain name resolution, including the following.
a) Domain name resolution host, the name of the server that provides domain name resolution services;
b) Domain name resolution record, DNS service can provide mapped IP address information for a given domain name, that is, domain name resolution record;
c) DNS record type, DNS service can provide a variety of query and anti-query services, including host records describing IPv4 address information
Record, describe the name server record of the server, describe the mail exchange record of the mail server, etc. This field indicates the specific record
Record type.
The description of each field of the basic DNS record is shown in Table 2.
Table 2 Basic DNS records
Field name field description field format field necessity
name_server domain name resolution host String optional
record IPv4 domain name resolution record String optional
dns_type DNS record type String optional
6.2.3.2 Basic E-mail Record
Basic email records mainly record observations related to emails, including the following.
a) The multi-purpose Internet mail extension type for mail attachments, and the multi-purpose Internet mail extension type for email attachments can indicate the appropriate
Which application to use to open the file;
b) The name of the email attachment, the file name of the email attachment, and the file name and type of the attachment file;
c) The content of the email attachment and the content of the email attachment indicate all the information in the attached file;
d) Bcc address, email Bcc address, indicating all recipients of email Bcc;
e) The text of the email body, the text of the email body, indicating the entire text content of the body;
f) Email CC address, email CC address, indicating all recipients of email CC;
g) The sender of the email, the sender of the email, indicating the email address of the sender of the email;
h) Email quotation, the original text quoted when replying to the email, indicating the content of the original email body;
i) The subject of the email, the subject of the email, indicating the iconic information of the email content;
j) Mail recipients, email recipients, indicate the email addresses of all recipients.
See Table 3 for the description of the basic email record fields.
Table 3 Basic E-mail Record
Field name field description field format field necessity
is_multipart
Mail attachment multi-purpose Internet mail expansion
Exhibition type
String optional
attachment_name Email attachment name String optional
attachment_content Email attachment content String optional
bcc_refs Bcc address JSONArray optional
body The text of the message body String optional
cc_refs Email CC address JSONArray optional
from_ref Mail sender String optional
quote Mail quote String optional
subject Email subject String optional
to_refs Mail recipient JSONArray optional
6.2.3.3 Basic record of file download
The basic record of file download mainly records observations related to file download, including the following.
a) File download history name, file download history file name, indicating the file name and type of the downloaded file;
b) The name of the file download browser and the name of the browser used for file download, indicating the method of file download;
c) The number of bytes of file download, the number of bytes of file download, indicate the size of the downloaded file;
d) File download name, file name of file download;
e) File download start time, the start time of the recorded file download, usually accurate to the second.
See Table 4 for the description of the basic record fields for file download.
Table 4 Basic record of file download
Field name field description field format field necessity
historic_name file download history name String optional
browser File download browser name String optional
file_byte File download bytes String optional
file_name File download name String optional
start_time File download start time String optional
6.2.3.4 Basic record of file information
The basic record of file information mainly records observations related to file information, including the following.
a) File name, file name, indicating the file name and file type;
b) File path, file path, indicating the name of the folder where the file is located;
c) The full path of the file, the full path of the file, indicating the absolute path where the file is stored;
d) The MD5 value of the file, the MD5 value of the file. If there are any changes to the file, its MD5 value will also change;
e) The issuer of the document certificate, the organization that issued the certificate of this standard;
f) File export function, file export function, file export function provided to third parties;
g) File import function, file import function, used to realize the data import of third-party files;
h) File import name, file import name, indicating the name of the imported third-party file;
i) File compilation time, file compilation time, usually accurate to the second;
j) PE file resource information name, PE file resource information name. Resources contain various forms of data, such as strings and pictures
and many more;
k) PE file resource information size, total bytes of PE file resource information;
l) The file section name, the name of the file section, is a string composed of ANSI characters;
m) File PE type, the PE type to which the file belongs, such as EXE, DLL, OCX, SYS, COM, etc.;
n) PE version company name, the company name indicated in the PE file version information;
o) PE version standard description, the description information given in the PE file version information;
p) PE version standard version, the file version number indicated in the PE file version information;
q) The legal copyright of the PE version, the legal copyright notice indicated in the PE file version information;
r) The original file name of the PE version, the original file name indicated in the PE file version information;
s) PE version product name, product name information indicated in the PE file version information;
t) PE version product version, product version number information indicated in the PE file version information;
u) File SHA1, SHA1 value of the file. The SHA1 value has the same function as the MD5 value, which is a kind of file fingerprint;
v) File SHA256, the SHA256 value of the file. The SHA256 value has the same function as the MD5 value, which is a kind of file fingerprint;
w) File size, the number of bytes of the file, indicating the size of the storage space occupied by the file;
x) Document digital signature description, document digital signature description, used to verify the source and integrity of the document.
The basic record field description of file information is shown in Table 5.
Table 5 Basic records of file information
Field name field description field format field necessity
name File name String optional
path file path String optional
complete_path File full path String optional
MD5 file MD5 value String optional
cert_publisher file certificate issuer String optional
export_function File export function JSONArray optional
import_function file import function JSONArray optional
import_name file import name String optional
compilation_time File compilation time String optional
PE_resource_name PE file resource information name String o...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 36643-2018_English be delivered?Answer: Upon your order, we will start to translate GB/T 36643-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 36643-2018_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 36643-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|