RSA EMC RID Server - RSAIntelShare/RID-Server GitHub Wiki

The EMC/RSA RID agent is an open source implementation of the Internet Engineering Task Force (IETF) standards for the exchange of incident and indicator data. The code has been released under an MIT license and development will continue with the open source community at the Github site for RSA Intelligence Sharing:

https://github.com/RSAIntelShare/RID-Server.git

The code implements the RFC6545, Real-time Inter-network Defense (RID) and RFC6546, Transport of RD over HTTP/TLS protocol. The code supports the evolving RFC5070-bis Incident Object Description Exchange Format (IODEF) data model from the work in the IETF working group Managed Incident Lightweight Exchange (MILE).

IODEF provides the necessary common format to be used as a building block for interoperable incident and indicator communications. IODEF is only focused on providing a format or data model to accommodate the most commonly exchanged data elements and associated context for indicators and incidents. IODEF has a flexible and extensible design to enable the use of standardized or private extensions to meet the needs of a specific use case or user group. Use case specific extensions may be included when relevant, such as including the Abuse Reporting Format (ARF) when more detailed information is needed for email (the standard expected by most mail operators) or the ability to include malware information through IEEE’s MMDEF. MMDEF would be included through the Structured Cybersecurity Information draft. Support for these extensions is not available yet.

RID specifies a set of messages and the transport used to communicate incident information while considering policy, privacy, and security options. The real security for the API is specified in RID, which contains options for security and data markers as well as how to respond to the data markers based on policy requirements. This international standard also enables sharing to be limited based on policy requirements. For example, there may be cases when one organization would like to alert another organization about a type of attack, but not reveal all of the discovered details of that attack. The implementation currently includes the Report and Query exchanges. Implementing the other message flows should be straightforward from the existing reference implementation.

RFC5070, IODEF: RFC5070 - IODEF

RFC6545, RID: http://datatracker.ietf.org/doc/rfc6545/

RFC6546, Transport of RID over HTTP/TLS: http://datatracker.ietf.org/doc/rfc6545/

RFC-5070-bis: https://datatracker.ietf.org/doc/draft-ietf-mile-rfc5070-bis/

Structured Cyber Security Information draft: http://datatracker.ietf.org/doc/draft-ietf-mile-sci/

IODEF Implementation Guidance Document: https://datatracker.ietf.org/doc/draft-ietf-mile-iodef-guidance/