IETF Logo Mail Archive

Re: [OPSEC] Robert Wilton's Yes on draft-ietf-opsec-indicators-of-compromise-03: (with COMMENT)

Andrew S2 <andrew.s2@ncsc.gov.uk> Mon, 16 January 2023 12:11 UTC

Return-Path: <andrew.s2@ncsc.gov.uk>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33DFBC1516F1; Mon, 16 Jan 2023 04:11:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.1
X-Spam-Level:
X-Spam-Status: No, score=-7.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H43l2pBd5Rp9; Mon, 16 Jan 2023 04:10:57 -0800 (PST)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-lo2gbr01on2121.outbound.protection.outlook.com [40.107.10.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDFB8C1516F2; Mon, 16 Jan 2023 04:10:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HlwV/q3Ps1TuXXaGi1nfivy22Oon6p53cx+phgdXUEf316z2hfLos/ws+N9Cgwyevbfos7oT9EeaB40dES5DeIwBEvzqZabn1SU4CDvNhTqFtkC8Pci0HyGLkY3uKEFRp7Ml/pfDrjjxW+e7Z49yljUKp4vLc4N1dU1FPVihaoGKxX7lkkmaBylhRbOzrelifxHYNQtO7bEa3pcjsRRr7HMciCe1sEeTRNTtPjGewN2oHjGSBWX9/HcAs22ty9ikmbaaFagTp5BPy7HEEt2UOwXc3XwzC1OxBSnAhLax5s7wdvens1yNCGp+tlCtbE+Da+OYePAFSy/5eFxOEUlAOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XdK6QNns/T4ugUeFVcO2xXgk744Oe6pcE+vvWDqAiig=; b=CZWpx1ENHyjOgDfFztT20y2Wo1xCMcSDgWjfqrMmOoLdvnIgwXJbzq9bjXnVLmVoAqWQRTJ2mkOwZsGNoqZVEATHyr8xByF/8gZXrq8/YC+QBxswbZ+yPJ300UFFe5/tDk173AHu1mDk8mO6EU3OhOTb+9vE5qbCHlFyrPM/AvjryYMCIHOLgoKlpUrSQoWPlBH7kmSf2BDlO+4sndrd7kdb6TgkOSryk4iby2kiZH50TWC7IO6+hg15l8QfII6pGGUhHRWfGv/QrGIsXhp8xjDGxWg9LzG28pWUuq4Ub4Ddy0r8Tp2bbW1L3v2l/5RetLStI5EwWF4i69NINWha2w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XdK6QNns/T4ugUeFVcO2xXgk744Oe6pcE+vvWDqAiig=; b=LFcoafNbFgw9uoSCXlTk8LDZMNEeZaRDtnyWkw5ewXYAog20m6Ns9fXuqO+9i1+uSYkRRT4JCqkcv1jIaC3MeS8vAfILIF8OygXLE8ghg/tc3erd530KPVCBG2+gOHjd+YPhKLEwe06dkGcX3dxkAUJK6GfKHwvcGLwraswsdsiqM8VGV66EFmarQ85NdTgzUwvZ9xW+76hz4QjGZpjmpWbSvj873y/Ar5bNWX/4EL7zqr2KHNXJPIpQmtr+Wv8wRcLKDhtb9FQNeXItYM2K2rdkA3WGY20kkL6p17d8X3pe6VVYUjd7o1kgO2U4cCwADXNsJga9qyqFX5WEtxMGjw==
Received: from LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1df::13) by LOYP123MB2734.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:e6::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.23; Mon, 16 Jan 2023 12:10:49 +0000
Received: from LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM ([fe80::381:602c:75d3:8c46]) by LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM ([fe80::381:602c:75d3:8c46%7]) with mapi id 15.20.6002.012; Mon, 16 Jan 2023 12:10:49 +0000
From: Andrew S2 <andrew.s2@ncsc.gov.uk>
To: Robert Wilton <rwilton@cisco.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsec-indicators-of-compromise@ietf.org" <draft-ietf-opsec-indicators-of-compromise@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "furry13@gmail.com" <furry13@gmail.com>
Thread-Topic: Robert Wilton's Yes on draft-ietf-opsec-indicators-of-compromise-03: (with COMMENT)
Thread-Index: AQHZJDaUMhxfIRNaBUqvaqK9bH5qrK6g/g/w
Date: Mon, 16 Jan 2023 12:10:48 +0000
Message-ID: <LO0P123MB4843192B4D9687F395842065E3C19@LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM>
References: <167327446463.4194.5709582879287892264@ietfa.amsl.com>
In-Reply-To: <167327446463.4194.5709582879287892264@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO0P123MB4843:EE_|LOYP123MB2734:EE_
x-ms-office365-filtering-correlation-id: 746bb0b9-d1a7-4499-96ea-08daf7bab47b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6wN24CUETQSct7KcS7o4xyKG24+ojsglG3uDW1+79Pm62wAu+y0F3VrOFjJYW2ALnay7z3GIGbHgD9k/N6B3iOF508wJg95daeTgDI8Hj5U8Xi31OwAQTgb31iW4ABiFTEze2QqBC/KatcOzsTneBkn68cuKnwjyxlLllMJySWfe7X0IBJ5EYq4Dj5k2p5CBdpb5MxaavVmfPxTdfpHKHe2AU+0/9b9sIqoA+NRT9UyCZAiEkTkFEsiNBPIxf89O6ptD4udXU4PpbvEOyFcUHPzGzvapYp1ctPCt3LICykfYJSTtbgtaFyjzMDWPwxVayC4wA6KvfY8u74jr2mHzFzJwdHEXf/Nh8o6UZgr8AsLk+nf9nG0n1aVwNODYsO0C8U4rJ55zeCp3oMOSrf5zYa+AgY7P8hua4cc4dZRHLPiRlXucpupVbrGFMsi+Byk8k872q1cZ3mbPS9nqpf7qf4IWEalYY9icx5CZoAzAhjsj3njfgdw8X0ojApAQ191NlgV2IJ1VsFIDNNF2xA2XrG5SdqIpr836CX9jvZPMHqXDpQW16iIJYozybRiQnkQ/NCHjmXDBfWQAyJp8zXfBkBbtgld8f7bQBnPMhxpAuic9nzXQVmu4NMakfUdiFXG2aI2MUTsIIOAEDyej3xsubGB9sjlSUKw6xDy24IpNVBW8kZ97Mw3COzKI5Gt90QTaVHuWsvF1Co/fUDUuvP5Gtg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39850400004)(366004)(346002)(396003)(136003)(376002)(451199015)(83380400001)(53546011)(33656002)(66556008)(66946007)(41300700001)(66476007)(76116006)(66446008)(9686003)(186003)(8676002)(64756008)(4326008)(86362001)(5660300002)(82960400001)(52536014)(8936002)(110136005)(478600001)(54906003)(71200400001)(6506007)(55016003)(316002)(7696005)(38070700005)(38100700002)(2906002)(122000001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0ZD39MClQChs9D4XNfEHO/F/7mF+lFEzuatl33oJUgBGgVEFPDUBAUpwrrwwxQ2SN4BFC8Lf9PnlmQ0midzfsnxlE2X8N9cc0+s++ovCW6fbrm2sitfYEKn/kGF+g9U3YGEf+g5m3v1LFmjRDKcZp5aRYVxL/bxcPQbyRmiOHpNDluKsJnQHRHO9ctjzXmoR3YPgAszT+IbTcCleAbYCEekXrx0G1xPUV8Rvk5kn0a7z7jgDwdUz5P4PTFnJxy6btM10skYfObTkTLD5Lpdu63Ts7hYzXh7O409/sSasP8u8PgBrvFJcu9XVvrOPjW11XHr9fHOSinFrURztQqZNTHY31/WI4CgsDghetayPJ6TiZRpcFrWqmSkALg5L74JCcUoJS/nrEcpee1hI9s9SKbnm/dQ0k5UNHacPY9n2ydZB3Q+o8ioo8j+nZVRQ/+MrT984DZqrUCJ4AXNo1N7jDUcBFSBPy8sJespiS/jBs6IzG647KsjHztMmlrHm+oKhVB1Hd2w4J0V5gmTpnFt2nvBoBHraMupydOoP9ZwaKn9IXmDtUgL3ODWYcypPrf70hrxG6vm34uzCWCj0mx8dSYod5Ive/ac/JoRqIbAF1r/GZAa1q4tdMBwloMXJp6lkZq8BklNHj+zoiavOphpOLo4ZYXw9XBYKF9dYHLnom//xIuoiWgq1wmCWBQwQdL10fxtmBWXZ+P9c8cnDL6eTqt4ir3xKYZTAxxocXAhixj2bjI7bJ1i7WIrIhalCpMx0nHCj5WmmtB0TANSdWlR6EthVwNd0BfQWDnA91TYDNDPkUYx0kbiSY3epDUS9Xim15lkFLilCvJVvaJODW/60Ife0wJ/ZtP+EzLQVuruYo13ohx7OMDJhyQxEvxPmILgwBGozfhwkxiDTx5a2pT5Rp0udgAZayOv/mDnweg/vWz/7DKj2AEXicRi0mbSPOj8BmChufCdl5hRo0DBune4PxaRbysqr46ywiEyj6jE1Fev40bAhe7WybC31nqeTvDv1jwWsHMPvuAibPyCYOnPp3iHi1vZoy9kdNmm4QenIV+E8ClINcFuGyiligFGJ6+L1Glp8ziH4nHHZ1YsNTm6nTbhBvFPpkxvzxV2yniPspZrOQl5Go/r8q/5EyrjWaQtqC7R70yuvMgCXnjPzU3z780+icHMqeApNYD5Sbsf75qRWtrJbsGjb/SRSPFET+7rIOLqs/svbUQP2qBNxzWSTeiWpG4GNTCrP/GG+09x1NVnjv6btpILY71WGqmwunQPiciru4pPvmS1lbZLiwfIx3T6bpf5BksNHFjOt9SauNyDV9smaGcPrcHaXh30HyvJuKMNXxZtUjp5ZLi96juDjlu8UUJWB8Vc0ftW7ZEIS654lCDFw9lmn1VQ7aOxaSnPRNshVUmaeH9DGGu9kjZxrwmWVVINFr48TzGXPDcHv3upWM6Hub5djS697einTnpERLa3QXp2xI6AuHfUj2rI5IMkwAwIUqW80s1SdDlI0LBOKNyKT9/7cNN7clYexpEkhtlVzavYTnXhmW5t2aaHGeXHqoFDGEaXHF34eCGeRjiZ/taAs7A8J5Y14BBPCnHZj4J0pZTyIaC5CxXxGP3Tbeja+7Cefj1XqWH+UZFKW62sJtY5z5n7ZQIb80yVed5e+
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 746bb0b9-d1a7-4499-96ea-08daf7bab47b
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2023 12:10:48.9697 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: W4PtuObiCkc7Klr7iI9CWc3d/cIqwzaKIYLDBxq1099KF5sa0sGdRT3e+GDS+RCFpNp4y3lIRfeUcu2q5pf2MA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LOYP123MB2734
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/-4DlGoNDob50unAD1-PAEWKEkT8>
Subject: Re: [OPSEC] Robert Wilton's Yes on draft-ietf-opsec-indicators-of-compromise-03: (with COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2023 12:11:01 -0000

Hi Rob,

Thanks very much for your review. With regard to your questions, we think that while it would be feasible for threat actors to use automated threat feeds in this way, the authors haven't seen an example of a threat actor doing this or of specific mitigations that defenders are putting in place against it. It's certainly something to be mindful of, and a reason to share IoCs responsibly to limit the chance that they are obtained by threat actors. However, exploiting automated IoC feeds is likely to be too complex for all but sophisticated threat actors working against sophisticated targets to attempt, and it would likely be frustrated by good operational security practices for the majority of their targets.

Many thanks,
Andy

-----Original Message-----
From: Robert Wilton via Datatracker <noreply@ietf.org> 
Sent: 09 January 2023 14:28
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-indicators-of-compromise@ietf.org; opsec-chairs@ietf.org; opsec@ietf.org; furry13@gmail.com; furry13@gmail.com
Subject: Robert Wilton's Yes on draft-ietf-opsec-indicators-of-compromise-03: (with COMMENT)

Robert Wilton has entered the following ballot position for
draft-ietf-opsec-indicators-of-compromise-03: Yes

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Hi,

Thanks for this informative read.

When sharing IoCs, is there ever a concern that the attackers themselves may make use of an IoC feed, particularly one that is generated in a machine readable format, to automatically modify their attacks to mitigate the defenses?  Are steps taken to mitigate this, or is this not really a practical concern at this time?

Regards,
Rob

v2.23.0 | Report a Bug | By Email