Re: [Model-t] model-t@iab.org list description
Bret Jordan <jordan.ietf@gmail.com> Sat, 03 August 2019 14:37 UTC
Return-Path: <jordan.ietf@gmail.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F32E512009C for <model-t@ietfa.amsl.com>; Sat, 3 Aug 2019 07:37:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzQjR8gQbL3W for <model-t@ietfa.amsl.com>; Sat, 3 Aug 2019 07:37:12 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4416F12008C for <model-t@iab.org>; Sat, 3 Aug 2019 07:37:12 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id u14so37474093pfn.2 for <model-t@iab.org>; Sat, 03 Aug 2019 07:37:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EZHR9dQO7A/UBgxiT1Njc1NorwUgYYOt3BrH0FX/jw8=; b=ninlOyzkGE2oicErNTsPy1cOnWOLMWsaulFiM3jgWFe3v0n3lJG9uWdRDUduX15UAa z7LEiDpevmupZF51JidWW4311KxFs01Cr0iwliP2odHNrAz3zS/odXhFKf84Um+1GAij cFnblNjqnQamkLynfXmdX/Sk5jmpbE6FXeWVh4Hc0qohVdCJy3uRuBW2Sgvru8kZQWIB q9yqaXNEeEVvhUxRYTcZ4UE5bL4a+jmgJ6MJ0UXTGTS+VMYgREczb6195JRVx3jUTho+ Zfrok/6hdM4D/aGzVzEQMGtUlZuWg8BxO3cfCATv1qqrYZl+0xAEamPGtGNXkofzJ834 c93A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EZHR9dQO7A/UBgxiT1Njc1NorwUgYYOt3BrH0FX/jw8=; b=rOu+g/u0h9UOWxFgg4d3EMbBvg2LEaw7EWK0UJoNQPXchA+ifpugMMpyfncXzY1TGE tVmaSwnXGmjcbRBa7Kq0fbqpdCS9OSMQV5U3BuicLj4wmOx8rFHR6IKVK2CIISB55fZm BLZDMjqfWZKyt3HVZ+iVhs7JXFlGswoLlWczrn0KP4enctmQhX03j0d5De9f0lkr1YcR iAIj/ASRANW2IpPyfUi009BcRk46Xyu3B0T9duGUdFoELTqWS8+sLbiqGzuMBOYRxISS 8HgDqzwCeKb7p1DqVHzGMIygMcxPyvD3U5c44nMO3Vsl1nCgl7RFYWwHcSu8i5W7ETpg ppQA==
X-Gm-Message-State: APjAAAXViexxHYQSuztLh1FqtKT5yFi8hSrOkGeLTtS7KibFYlVwy+q3 wSkXyHHtyJQ+eWVKCQjX3Jw=
X-Google-Smtp-Source: APXvYqzWaBMPf6pBt639R17bvkqFrP+Uk7jJwtHMe59GN2h8Sh4qNHll2xn2s/2vmuFnRSjz56gLrA==
X-Received: by 2002:a17:90a:3344:: with SMTP id m62mr9494140pjb.135.1564843031285; Sat, 03 Aug 2019 07:37:11 -0700 (PDT)
Received: from [10.128.64.123] ([136.60.227.81]) by smtp.gmail.com with ESMTPSA id s5sm61524554pfm.97.2019.08.03.07.37.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 03 Aug 2019 07:37:10 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-8B2C3B17-B38D-4EA2-BEC0-632587B7659D"
Mime-Version: 1.0 (1.0)
From: Bret Jordan <jordan.ietf@gmail.com>
X-Mailer: iPhone Mail (16G77)
In-Reply-To: <56f78164-7205-0cb8-eaaf-3bdae25a7c67@cs.tcd.ie>
Date: Sat, 03 Aug 2019 08:37:09 -0600
Cc: Martin Thomson <mt@lowentropy.net>, model-t@iab.org
Content-Transfer-Encoding: 7bit
Message-Id: <34296538-559C-45B0-8D44-E35BCA47DD35@gmail.com>
References: <c3a112ba-baab-1cb0-97ad-21ff9999a637@cs.tcd.ie> <29756028-95f1-e6e5-b3ea-562cbc635df0@sandelman.ca> <5ef15ad2-5b20-e871-0d01-17cf906051c1@cs.tcd.ie> <22633.1564768705@localhost> <e7c02d44-353f-406c-818e-06a2e49ee212@www.fastmail.com> <5879878A-7CEA-4030-BB72-108CC4122719@gmail.com> <56f78164-7205-0cb8-eaaf-3bdae25a7c67@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/D1xxOaPe0Ov89neVZZiyUCECPS8>
Subject: Re: [Model-t] model-t@iab.org list description
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Aug 2019 14:37:15 -0000
I did not use anything from STIX. Are you referring to the use of kill chain phase? Bret Sent from my Commodore 64 PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > On Aug 3, 2019, at 7:33 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Hiya, > > Two things: > > - I'm not sure how applicable stix and other information model > type approaches might be for addressing an Internet threat model, > but that seems like a topic that'd deserve a thread or two... > > - I generally like the attack surface metaphor and find it useful > in thinking about security when making changes to a specific > system or network. So that metaphor could certainly be useful. > I'm not sure though that there is such a thing as "the full > attack surface" that can be usefully enumerated. > > Thanks, > S. > >> On 03/08/2019 05:24, Bret Jordan wrote: >> To borrow your words… “If we are going to take security seriously”… we need to understand and document the full attack surface. So let us start listing them out. Here are four. >> >> >> Attack: Active remote attack >> Exposure: Full compromise of system and data >> Client Knowledge: Potential indicators may be visible >> Protection Possibilities: Deploy both client and network level protections >> Headwinds: Client based protections are usually inadequate >> Severity: High >> Kill-Chain Phase: Lateral Movement >> >> Attack: Active in-band attack >> Exposure; Full compromise of system and data >> Client Knowledge: Potential indicators may be visible >> Protection Possibilities: Deploy both client and network level protections, user awareness training, content and DNS filtering >> Headwinds: Client based protections are usually inadequate >> Severity: High >> Kill-Chain Phase: Delivery and Exploitation >> >> Attack: Passive monitoring of traffic >> Exposure: Information about where traffic is going and potentially details of the content being shared >> Client Knowledge: No, it is very hard to detect passive monitoring tools >> Protection Possibilities: Encrypt traffic >> Headwinds: Global adoption of better encryption >> Severity: Low >> Kill-Chain Phase: Reconnaissance >> >> Attack: Active in-band monitoring and tracking >> Exposure: Information about what the user is doing and where they are going >> Client Knowledge: Generally no >> Protection Possibilities: Client and network level protections >> Headwinds: Some clients are making it hard to deploy client side protections >> Severity: Low >> Kill-Chain Phase: Reconnaissance >> >> >> >> Thanks, >> Bret >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." >> >>> On Aug 2, 2019, at 9:18 PM, Martin Thomson <mt@lowentropy.net> wrote: >>> >>> On Sat, Aug 3, 2019, at 03:58, Michael Richardson wrote: >>>> What I'm trying to say is that there are some threats that we deal with >>>> on the Capital-Internet that are far more manageable in the small. >>> >>> Like a red rag to a bull... >>> >>> I don't think that this is a sustainable attitude. If we are going to take security seriously, we have to consider every networked device to be exposed to a hostile environment. Now that doesn't mean that you can't take steps to limit hostility in networks, and there might be sound reasons to believe that the degree to which you have to expend resources in defense of certain attacks is different as a result. But the notion of a gooey middle remains a big part of the problem statement. >>> >>> This isn't really on-topic for this list as I understand it, and I wasn't planning to say much here until someone said this. Sorry Michael :) >>> >>> -- >>> Model-t mailing list >>> Model-t@iab.org >>> https://www.iab.org/mailman/listinfo/model-t >> >> >> > <0x5AB2FAF17B172BEA.asc>
- [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Michael Richardson
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Joseph Lorenzo Hall
- Re: [Model-t] model-t@iab.org list description Michael Richardson
- Re: [Model-t] model-t@iab.org list description Martin Thomson
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Eric Rescorla
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Jim Fenton
- Re: [Model-t] model-t@iab.org list description Ted Lemon
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Christian Huitema
- Re: [Model-t] model-t@iab.org list description Watson Ladd
- Re: [Model-t] model-t@iab.org list description Carsten Bormann
- Re: [Model-t] model-t@iab.org list description Ted Lemon
- [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Watson Ladd
- Re: [Model-t] What are we trying to protect Eric Rescorla
- Re: [Model-t] What are we trying to protect Dominique Lazanski
- Re: [Model-t] What are we trying to protect Eric Rescorla
- Re: [Model-t] What are we trying to protect Dominique Lazanski
- Re: [Model-t] What are we trying to protect Stephen Farrell
- Re: [Model-t] What are we trying to protect Eric Rescorla
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Watson Ladd
- Re: [Model-t] What are we trying to protect Ted Lemon
- Re: [Model-t] What are we trying to protect Dominique Lazanski
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Ted Lemon
- Re: [Model-t] What are we trying to protect Stephen Farrell
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Stephen Farrell
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Stephen Farrell
- Re: [Model-t] What are we trying to protect Christian Huitema
- Re: [Model-t] What are we trying to protect Ted Lemon
- [Model-t] Primer Bret Jordan
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Christian Huitema
- Re: [Model-t] Primer Bret Jordan
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Watson Ladd
- Re: [Model-t] What are we trying to protect Thomas Hardjono
- Re: [Model-t] What are we trying to protect Ira McDonald
- Re: [Model-t] What are we trying to protect Thomas Hardjono
- Re: [Model-t] What are we trying to protect Watson Ladd
- Re: [Model-t] What are we trying to protect Thomas Hardjono