[mile] New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt

Kirsty P <Kirsty.p@ncsc.gov.uk> Fri, 06 March 2020 13:30 UTC

Return-Path: <Kirsty.p@ncsc.gov.uk>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53D613A0F60; Fri, 6 Mar 2020 05:30:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXFpA-DNcr_K; Fri, 6 Mar 2020 05:30:54 -0800 (PST)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110103.outbound.protection.outlook.com [40.107.11.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85B363A0F5E; Fri, 6 Mar 2020 05:30:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DJgnvmtwClIhtxSDiExSGEzcH8ZfRUEJka6u50vDGaFM/L9ur89+wWuYwaYnp/?= =?utf-8?q?6eIv4DNHkb2WGxUIcfKD/CJmFGbjZdivIP+6CVKBI1pz2lcg7A4p/9IsQIYerZAg6?= =?utf-8?q?lYdEi+CnWiQQK0uE4ttJAyYdx58g/PXtKsSV6dJWui4ka43m8BurKDeJNuBHzYwDr?= =?utf-8?q?mmyb0C/d7QX75trwXvk4Fi/TFTmUEQdxG0R/icrYVRLDnU8LKpFuYowpk5xoeaff7?= =?utf-8?q?WTu/uquyhvtE0DemloXMAyx2W0PkPp8+p+v/N6cWop7Wr4BJ6YbH8U69FA98JiZso?= =?utf-8?q?mmfMhth2cuM/H+Krkt4xg=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3Do8q3lVe1l+rfYdIPi0Xd1Tc8W7s7LfWx3qJWnoge/bQ=3D=3B_b=3Dfe7gI3?= =?utf-8?q?SPzT1xpUICl51lQ3KMzuoTlJoLB+yOLzDcAjEtfBPmI1YurxRDdCSdEBp3KICDTkn?= =?utf-8?q?7TIbnaJgjp/Qro6Wxh0rHYqeU2mH85jNm6fEIWEEcXjEJjb77vO40Dx+RF131CPUp?= =?utf-8?q?7ZAedQiN1BhiZzhFpa4FMGpJCmeFkdUtgNwnwSC7QoTl90Ldx02EGIZ3rn2ttPFKq?= =?utf-8?q?hJWVAsZgx5qePJ6BksEGJnOdz+ibX9QJ0/NlqwYHPlSVV4tD+b1ZYTYSFHu6RR91D?= =?utf-8?q?M6KUrlIv1ROeJb/0eKzlYmiNnccauSYKzZ4UsmtZZoxlA8+50EjTFY5EIPysaF8DY?= =?utf-8?q?QiBiCt6H00w=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3AContent-Typ?= =?utf-8?q?e=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3Do8q3lVe1l+rfYdIPi0Xd1Tc8W7s7LfWx3qJWnoge/bQ=3D=3B_b=3DbAC7WK?= =?utf-8?q?I+8BWDwwzmxB+gvpBGAEw/6TQcISUShUfXtVXQlI74O7f/XQV4RopxQKHUINAlyPq?= =?utf-8?q?0NjoRyBX7VSIYuAJ3V5nA1FrtbtMIkenTTz210fQzP04oJA39Ve/fxiDa8sxXhrHg?= =?utf-8?q?E3KAjMKtc+V6HzMZRTGLBJLuzQ/3htqSReE=3D?=
Received: from LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM (20.179.131.80) by LNXP123MB2490.GBRP123.PROD.OUTLOOK.COM (20.179.131.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.19; Fri, 6 Mar 2020 13:30:50 +0000
Received: from LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM ([fe80::dc7a:97bb:102a:9c1c]) by LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM ([fe80::dc7a:97bb:102a:9c1c%6]) with mapi id 15.20.2793.013; Fri, 6 Mar 2020 13:30:50 +0000
From: Kirsty P <Kirsty.p@ncsc.gov.uk>
To: "mile@ietf.org" <mile@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt
Thread-Index: AQHV86jPt3WqYZHQGkS6Pyj9v0KtrKg7fH1MgAAHM9c=
Date: Fri, 6 Mar 2020 13:30:50 +0000
Message-ID: =?utf-8?q?=3CLNXP123MB233011E2D6E08386198C751BD7E30=40LNXP123MB2?= =?utf-8?q?330=2EGBRP123=2EPROD=2EOUTLOOK=2ECOM=3E?=
References: <158349344094.2274.4065518603647811950@ietfa.amsl.com>, =?utf-8?q?=3CLNXP123MB23300837148D795BB004451DD7E30=40LNXP123MB2330=2EGBRP1?= =?utf-8?q?23=2EPROD=2EOUTLOOK=2ECOM=3E?=
In-Reply-To: =?utf-8?q?=3CLNXP123MB23300837148D795BB004451DD7E30=40LNXP123MB?= =?utf-8?q?2330=2EGBRP123=2EPROD=2EOUTLOOK=2ECOM=3E?=
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kirsty.p@ncsc.gov.uk;
x-originating-ip: [51.141.26.231]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8e5b3d96-9d89-422c-27f1-08d7c1d29670
x-ms-traffictypediagnostic: LNXP123MB2490:
x-microsoft-antispam-prvs: =?utf-8?q?=3CLNXP123MB249006C8006F5B7BE2186FB7D7E?= =?utf-8?q?30=40LNXP123MB2490=2EGBRP123=2EPROD=2EOUTLOOK=2ECOM=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0334223192
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810019020=29=284636?= =?utf-8?b?MDA5KSgzNzYwMDIpKDM2NjAwNCkoMzk2MDAzKSgzOTg1MDQwMDAwNCkoMTM2?= =?utf-8?b?MDAzKSgzNDYwMDIpKDE5OTAwNCkoMTg5MDAzKSg3MTIwMDQwMDAwMSkoMzM2?= =?utf-8?q?56002=29=28450100002=29=2855016002=29=2876116006=29=2855236004=29?= =?utf-8?q?=282906002=29=2886362001=29=2866946007=29=28110136005=29=28650600?= =?utf-8?b?NykoMjk0MDEwMDAwMikoNTY2MDMwMDAwMikoODkzNjAwMikoNzY5NjAwNSko?= =?utf-8?q?64756008=29=2866446008=29=2866556008=29=2815650500001=29=2826005?= =?utf-8?b?KSgxOTYyNzQwNTAwMSkoMTg2MDAzKSg5Njg2MDAzKSg1MjUzNjAxNCkoMzE2?= =?utf-8?b?MDAyKSg4Njc2MDAyKSg5NjYwMDUpKDgxMTY2MDA2KSg2NjQ3NjAwNykoNDc4?= =?utf-8?q?600001=29=2881156014=29=3B?= DIR:OUT; SFP:1102; SCL:1; SRVR:LNXP123MB2490; H:LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?jv9p/E/M9JzQXH0oUhZWVVLKfm+0TIK?= =?utf-8?q?uoJwMu+dz8fuftYoR+w6wO6aN6CRYwKu9ZDDb3+s40fHRprkXQNh7iN4fLsgUDUNZ?= =?utf-8?q?6HAv5BWg9QHmt/wwkicOuMM+1RqWq8WqQYplqzgXbCFbkM055WAnYzO7Mf4wLsjRb?= =?utf-8?q?qkDK6Tt6cXm21T9ho+opIXf8fJURJ3ICqkGkn5H08Y+iADLeFRzpYQ+rTfog9Vo9u?= =?utf-8?q?LT7vzrCa/UKReyUL6fQ6TBO+mYinhGPif2MDoW1KeGfRMUGnq5v0+uE67VLqMGhn0?= =?utf-8?q?dDs15b1VxIDPnZSYR9i0+56BHgMQ5otF2yxlzQrbHMbUSRRcpLUg25PAS/Ta0I1yM?= =?utf-8?q?Ab7V4IYm8TdqHfEZdaCX75jgwrUrEAid8sjjuD5wYgFCG/FtTwzkVJPGTFjku54Ds?= =?utf-8?q?JfOa6jd7kVpz5zmZXnPGRcr1GR9b3o7Jd5XxTEF+GJjOikyog3+pPAM1IBWHmy0MS?= =?utf-8?q?8PvRxTJDSsBvdIf9/4ZXjpvzP0Rde2VnDMOK1tjovdKdBZ7g=3D=3D?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?j9nYrwv7R+yamYj3ApApBT1noP0HPM?= =?utf-8?q?rNFoLobtwkGXExNiWm3gbcubrZsN6YVppnpVdyriWt7lIHfCuJKKRSxEHXMhteCHC?= =?utf-8?q?qsScsa6a+yqf1mA2LGL8hTq0E5/AdODHHnxnzGTRqtyRItlHu29mT1w=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LNXP123MB233011E2D6E08386198C751BD7E30LNXP123MB2330GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 8e5b3d96-9d89-422c-27f1-08d7c1d29670
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2020 13:30:50.6650 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?0CQZU5Uv98TQMeZOU3wuY?= =?utf-8?q?7PF3Tx0chnR2fxAxz+ykOfOQMH5H8miDIHxmOdyo/sgn0SDtu7L8rdXIYY7Ku0/9A?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP123MB2490
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/0tgHR4w9tzQKRqQhkc9rFCQCfb4>
Subject: [mile] New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2020 13:30:56 -0000

MILE and SACM,

Please see below for details of my new draft on Indicators of Compromise (IoCs) - it was suggested to me that the topic may be of interest to you. I welcome your comments, discussion or feedback on this draft - please do get in touch.

Kirsty



A new version of I-D, draft-paine-smart-indicators-of-compromise-00.txt
has been successfully submitted by Kirsty Paine and posted to the
IETF repository.

Name:           draft-paine-smart-indicators-of-compromise
Revision:       00
Title:          Indicators of Compromise (IoCs) and Their Role in Attack Defence
Document date:  2020-03-06
Group:          Individual Submission
Pages:          15
URL:            https://www.ietf.org/id/draft-paine-smart-indicators-of-compromise-00.txt
Status:         https://datatracker.ietf.org/doc/draft-paine-smart-indicators-of-compromise/
Htmlized:       https://tools.ietf.org/html/draft-paine-smart-indicators-of-compromise-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-paine-smart-indicators-of-compromise


Abstract:
   Indicators of Compromise (IoCs) are an important technique in attack
   defence (often called cyber defence).  This document outlines the
   different types of IoC, their associated benefits and limitations,
   and discusses their effective use.  It also contextualises the role
   of IoCs in defending against attacks through describing a recent case
   study.  This draft does not pre-suppose where IoCs can be found or
   should be detected - as they can be discovered and deployed in
   networks, endpoints or elsewhere - rather, engineers should be aware
   that they need to be detectable (either by endpoint security
   appliances or network-based defences, or ideally both) to be
   effective.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©