IETF Logo Mail Archive

Re: [Model-t] What are we trying to protect

Bret Jordan <jordan.ietf@gmail.com> Mon, 05 August 2019 15:41 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28A13120162 for <model-t@ietfa.amsl.com>; Mon, 5 Aug 2019 08:41:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWmeRECZDf9X for <model-t@ietfa.amsl.com>; Mon, 5 Aug 2019 08:41:34 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9E712004E for <model-t@iab.org>; Mon, 5 Aug 2019 08:41:34 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id 19so39839801pfa.4 for <model-t@iab.org>; Mon, 05 Aug 2019 08:41:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4QAL1x946yboI35FNbC/O4xuaF3yhPm/RHV3JIlme6o=; b=fUDwUIgDbrv5VRVG+XV3yS1TPUvWB1qjOcSmOfMggQ5i16Tyt0Trz4Hje6EJF5SkaF u+gDm4f4XU1ZvA70RV9S0CzX4wwuZSNvayxS7RiBkao09kbtmnK0DGTKlyN01fCWtkyw rNAlGgUYQ9pNX15WnZRTHOw7mbpEC891KVIra+L3ZJ75b+aztMlhsYbZKQSZl421rinz jeIiCcTewFQAyUVW+9Wz27c9FQkvFutcaHJjoWyjC98yFgayJtRGWHnfyoJprZxLfaUn +ymjKLPQy+4Xn3DGOC0Tr+ptR6tjyWH801C4z7d6vXvavUPWzh4TEaWOvEVYW/1TT7H3 356w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4QAL1x946yboI35FNbC/O4xuaF3yhPm/RHV3JIlme6o=; b=iiRP3QiqaIhhazicAueLlT5esVHOwI/f3A67TEwO1CFeSkWwZOp/xxdklHOsMCgDk5 8uEDEcmA2MYemxybK2auIQDM/AeJDlN45evJNYNppSc775nFY7xS3xnvyR8Yv6SeCCvP GyBbfDvX3DRD5YGuOc4wxpMGzqd/sBXTkKOOxvExJ70c098XIDOXRqxoUb7/qydMjidK PnmgRSLQpV7fsD1MFjZjJs5NooTH68e/TTaEGF3RaXPuALeqlB67is7Cgy81R01i1rnv lXX7Foy363NWvjcSRakY9ExYGH6YNaAbIDYB9qpudm6BjPgmXOdibjrgLqCfErb32xPV Jh6w==
X-Gm-Message-State: APjAAAWnefJuf/Aa24yt+ozNh+5WqO65s2gFhfwWjFFvtTrQ2aYsNtoY BOnpczPX1A++ouRbAS4dFjs=
X-Google-Smtp-Source: APXvYqwoqkr+cSZ/Jpuj6fdTS2NLA1IOiUSG1y0tXU1WZACkjW2k0yc04WRVKeznYo+8AeXroxlyIQ==
X-Received: by 2002:a17:90a:8591:: with SMTP id m17mr19113463pjn.100.1565019694288; Mon, 05 Aug 2019 08:41:34 -0700 (PDT)
Received: from [10.128.64.149] ([136.60.227.81]) by smtp.gmail.com with ESMTPSA id u24sm26802689pgk.31.2019.08.05.08.41.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Aug 2019 08:41:33 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <1EE9B058-48A1-4118-950B-FA324397FBE5@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8100F5B4-2561-4CB7-9820-29A698E919C0"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 05 Aug 2019 09:41:31 -0600
In-Reply-To: <3A58A1E0-83E9-4FD2-8317-FB60E4A05B84@huitema.net>
Cc: Eric Rescorla <ekr@rtfm.com>, Dominique Lazanski <dml@lastpresslabel.com>, Ted Lemon <mellon@fugue.com>, model-t@iab.org
To: Christian Huitema <huitema@huitema.net>
References: <c3a112ba-baab-1cb0-97ad-21ff9999a637@cs.tcd.ie> <29756028-95f1-e6e5-b3ea-562cbc635df0@sandelman.ca> <5ef15ad2-5b20-e871-0d01-17cf906051c1@cs.tcd.ie> <22633.1564768705@localhost> <e7c02d44-353f-406c-818e-06a2e49ee212@www.fastmail.com> <5879878A-7CEA-4030-BB72-108CC4122719@gmail.com> <d253231a-d35d-e7c9-e3ae-5c7d7915566e@bluepopcorn.net> <06F0AE14-4413-4022-A804-C1B58E2702CE@fugue.com> <52BAC141-CB25-4072-B556-6325912F1ADD@gmail.com> <9a1555ca-6699-75f1-683e-2a3a2a539a11@cs.tcd.ie> <fbb6866d-87af-abea-42b4-8bb45959ea6a@huitema.net> <A8ABBBFF-9967-4F3B-974F-2DC5953D5DD9@gmail.com> <CABcZeBOKnaa7t3Nc=uq4sB2OQ+uKp=+_LHqX3bBBmpy3RY3dCA@mail.gmail.com> <86157132-D401-4033-A72B-AD4859DB6696@lastpresslabel.com> <CABcZeBPBy+6W-Yg4vMF1aCyNkE7XAJ81HaM75hKa--gRnpUVbg@mail.gmail.com> <f8782dce-970a-fb11-372b-bc122878308b@huitema.net> <ADAEE6C9-4974-4955-95E6-603B9A857BF9@fugue.com> <DA015630-9751-423F-A6D9-CEB01B4E6612@gmail.com> <3A58A1E0-83E9-4FD2-8317-FB60E4A05B84@huitema.net>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/a34DcUEj8jMWFqB6QIoE9nlbREI>
Subject: Re: [Model-t] What are we trying to protect
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2019 15:41:37 -0000

As I have illustrated, the 4 attack groups cover these general high level attacks that everyone on the internet faces. These are things that I think we CAN do something about. 

I am not suggesting that we should talk about specific instances or specific types of attacks.  Those would be things like how threat actor FOO compromises layer 2 cache on the CPU to jump between virtual machines in cloud provider.  Or how threat actor bar attacks specific IoT devices from a compromised data center in some geo-center to finally launch an attack against a nation’s power grid.  While some of these attacks are interesting and very elaborate in nature.  They are not in scope. 

1) Attacking the system directly.

2) Delivering an attack through a user initiated session or exfiltrating data through said session

4) Passive monitoring of all traffic

5) Monitoring and tracking all user's traffic inside their session. 


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Aug 5, 2019, at 9:10 AM, Christian Huitema <huitema@huitema.net> wrote:
> 
> 
> 
> 
>> On Aug 5, 2019, at 7:07 AM, Bret Jordan <jordan.ietf@gmail.com> wrote:
>> 
>> I fully get that many here do not understand the attack lifecycle at the same level or understand what an intrusion set is and how that relates to threat actor techniques, tactics, and procedures (or their modus operandi). I also know that most here probably do not track threat actor activity.  But some of us do.  We need to bring some of this knowledge and expertise in to the IETF to help insure that we design things that improve overall security for end users on the internet.
> 
> I am sure that some of us do understand the struggle against progressive penetration of organizations networks and eventual looting of customer data and corporate secrets. On the other hand, the IETF is not going to opine on specific techniques like isolation of credentials or monitoring active directory servers, or on the signal to noise ratio of intrusion detection systems. I want to wait until we have an actual list of goals and assets, but I suspect that we will need limits.
> 
> Some things might be in scope, though. Many of the penetration attacks start with phishing campaigns, using either web access or email. And SMTP is probably in scope. But phishing through social networks would not be.
> 
> -- Christian Huitema 
> -- 
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t

v2.23.0 | Report a Bug | By Email