Re: [arch-d] draft-iab-m-ten-workshop
"Salz, Rich" <rsalz@akamai.com> Sat, 26 August 2023 14:21 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29C5BC14CE2B for <architecture-discuss@ietfa.amsl.com>; Sat, 26 Aug 2023 07:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.704
X-Spam-Level:
X-Spam-Status: No, score=-2.704 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UeNsyxL9cS2j for <architecture-discuss@ietfa.amsl.com>; Sat, 26 Aug 2023 07:21:22 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AF46C14F74E for <architecture-discuss@ietf.org>; Sat, 26 Aug 2023 07:21:22 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.17.1.22/8.17.1.22) with ESMTP id 37Q6imr4005167; Sat, 26 Aug 2023 15:21:20 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=jan2016.eng; bh=P4CXNR9NT0JGU1Enyh e2O5AX2p8IR5ktX45ED10gsnI=; b=Dqow/CwWvEaypTqRgEgpgGPdTQh92khAYY 6Rv4NLxzsQAr+tS0/DLhHojKvmjjgv7/AdGK5D+M786pHeYLJM1ilg8qrPl0tqny G7XBrn7BHUAFE3ziafZksXr+pRhm52nK7MfdI0wywda/Ve1pM2KBgaY3V4p7si0k iPQtjFA+cirHQJMaHW9lJEoau2uyWnB4ALpNt3xlOpDyA5Mqv5xWyLD/wTQECbCb fYdXF+75O0vb1lD3xkFXsR4Dn7oQn3HhoVScd8sh8uIhuXQYyRIq2E88yTctH24U yrDVZIZMRkoikH6Hs/9wMMFbBsA76Z9vH99RoSd4Ff7CC9AQbUWA==
Received: from prod-mail-ppoint8 (a72-247-45-34.deploy.static.akamaitechnologies.com [72.247.45.34] (may be forged)) by m0050102.ppops.net-00190b01. (PPS) with ESMTPS id 3sq6faqtw7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 26 Aug 2023 15:21:19 +0100 (BST)
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 37QBtN1T015191; Sat, 26 Aug 2023 10:21:19 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.204]) by prod-mail-ppoint8.akamai.com (PPS) with ESMTPS id 3sqcqvskbk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 26 Aug 2023 10:21:18 -0400
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb5.msg.corp.akamai.com (172.27.50.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.16; Sat, 26 Aug 2023 07:21:18 -0700
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) by ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) with mapi id 15.02.1258.016; Sat, 26 Aug 2023 07:21:18 -0700
From: "Salz, Rich" <rsalz@akamai.com>
To: Hesham ElBakoury <helbakoury@gmail.com>, Arnaud Taddei <arnaud.taddei@broadcom.com>
CC: "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>
Thread-Topic: [arch-d] draft-iab-m-ten-workshop
Thread-Index: AWI2Zjk2PQC9qf1R94kGITVa2BCTfGI2Zjk2Zi5yNGzo7fmVgIASRyQ/gACKTwD//8UzgA==
Date: Sat, 26 Aug 2023 14:21:18 +0000
Message-ID: <2B263E92-8F09-4214-A4D9-1AD3272B01A9@akamai.com>
References: <997f6696-dcd9-9d5d-26f2-3b486cee601b@lear.ch> <yblfs4ljrxg.fsf@wd.hardakers.net> <CAFvDQ9oj_ejUh+v4bs+AdOfDi1WTW5BrdSEwvCJKW3SuqM2COA@mail.gmail.com> <LO2P123MB3839CE40972FE956BC22D22BF7E2A@LO2P123MB3839.GBRP123.PROD.OUTLOOK.COM> <CAFvDQ9oYPSM26u0eZ2LZXTjt-PO8Q6=JqDTYTrbmXQ=p0riObw@mail.gmail.com>
In-Reply-To: <CAFvDQ9oYPSM26u0eZ2LZXTjt-PO8Q6=JqDTYTrbmXQ=p0riObw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.76.23081101
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_2B263E928F094214A4D91AD3272B01A9akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-08-26_12,2023-08-25_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 adultscore=0 bulkscore=0 mlxscore=0 phishscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2308100000 definitions=main-2308260135
X-Proofpoint-GUID: ARIMjx2gFG0jwhnzWRJht2vaSP2qVacb
X-Proofpoint-ORIG-GUID: ARIMjx2gFG0jwhnzWRJht2vaSP2qVacb
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-08-26_12,2023-08-25_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 impostorscore=0 adultscore=0 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 priorityscore=1501 clxscore=1011 bulkscore=0 spamscore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2308260135
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/3roRkVWVcOQKNhLzP6BPGk93fMI>
Subject: Re: [arch-d] draft-iab-m-ten-workshop
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2023 14:21:26 -0000
Since this IAB report is mainly looking into encrypted data, I would assume that you are interested in the cases where Ransomware attack is leveraging encrypted data such as Encrypted Client Header (ECH) which can be used to hide the adversaries command and control [https://www.ietf.org/archive/id/draft-campling-ech-deployment-considerations-07.txt<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-campling-ech-deployment-considerations-07.txt__;!!GjvTz_vk!TCEUzvgyrwR484kRDlnSTqYySSCORBNX0MW3d1BSPYbggzqy7zcY7DxxTYSjjJNxvrHZTmc9bFTRV4V6$>] It would be senseless to use ECH for C&C, since they are not hosting multiple services. From what I have seen, most C&C centers are taken down by looking at the IP address and working from there, not examining TLS handshakes.
- [arch-d] draft-iab-m-ten-workshop Eliot Lear
- Re: [arch-d] draft-iab-m-ten-workshop Arnaud Taddei
- Re: [arch-d] draft-iab-m-ten-workshop Wes Hardaker
- Re: [arch-d] draft-iab-m-ten-workshop Wes Hardaker
- Re: [arch-d] draft-iab-m-ten-workshop Hesham ElBakoury
- Re: [arch-d] draft-iab-m-ten-workshop Wes Hardaker
- Re: [arch-d] draft-iab-m-ten-workshop Arnaud Taddei
- Re: [arch-d] draft-iab-m-ten-workshop Arnaud Taddei
- Re: [arch-d] draft-iab-m-ten-workshop Arnaud Taddei
- Re: [arch-d] draft-iab-m-ten-workshop Hesham ElBakoury
- Re: [arch-d] draft-iab-m-ten-workshop Salz, Rich
- Re: [arch-d] draft-iab-m-ten-workshop Arnaud Taddei
- Re: [arch-d] draft-iab-m-ten-workshop Hesham ElBakoury